Fast crash recovery for distributed database systems

ABSTRACT

A distributed database system may implement fast crash recovery. Upon recovery from a database head node failure, a connection with one or more storage nodes of a distributed storage system storing data for a database implemented by the database head node may be established. Upon establishment of the connection with the storage nodes, that database may be made available for access, such as for various access requests. In various embodiments, redo log records may not be replayed in order to provide access to the database. In at least some embodiments, the storage nodes may provide a current state of data stored for the database in response to requests.

RELATED APPLICATIONS

This application claims benefit of priority to U.S. Provisional Application Ser. No. 61/799,609, entitled “Fast Crash Recovery for Distributed Database Systems,” filed Mar. 15, 2013, and which is incorporated herein by reference in its entirety.

BACKGROUND

Distribution of various components of a software stack can in some cases provide (or support) fault tolerance (e.g., through replication), higher durability, and less expensive solutions (e.g., through the use of many smaller, less-expensive components rather than fewer large, expensive components). However, databases have historically been among the components of the software stack that are least amenable to distribution. For example, it can difficult to distribute databases while still ensuring the so-called ACID properties (e.g., Atomicity, Consistency, Isolation, and Durability) that they are expected to provide.

While most existing relational databases are not distributed, some existing databases are “scaled out” (as opposed to being “scaled up” by merely employing a larger monolithic system) using one of two common models: a “shared nothing” model, and a “shared disk” model. In general, in a “shared nothing” model, received queries are decomposed into database shards (each of which includes a component of the query), these shards are sent to different compute nodes for query processing, and the results are collected and aggregated before they are returned. In general, in a “shared disk” model, every compute node in a cluster has access to the same underlying data. In systems that employ this model, great care must be taken to manage cache coherency. In both of these models, a large, monolithic database is replicated on multiple nodes (including all of the functionality of a stand-alone database instance), and “glue” logic is added to stitch them together. For example, in the “shared nothing” model, the glue logic may provide the functionality of a dispatcher that subdivides queries, sends them to multiple compute notes, and then combines the results. In a “shared disk” model, the glue logic may serve to fuse together the caches of multiple nodes (e.g., to manage coherency at the caching layer). These “shared nothing” and “shared disk” database systems can be costly to deploy, and complex to maintain, and may over-serve many database use cases.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating various components of a database software stack, according to one embodiment.

FIG. 2 is a block diagram illustrating a service system architecture that may be configured to implement a web services-based database service, according to some embodiments.

FIG. 3 is a block diagram illustrating various components of a database system that includes a database engine and a separate distributed database storage service, according to one embodiment.

FIG. 4 is a block diagram illustrating a distributed database-optimized storage system, according to one embodiment.

FIG. 5 is a block diagram illustrating the use of a separate distributed database-optimized storage system in a database system, according to one embodiment.

FIG. 6 is a block diagram illustrating how data and metadata may be stored on a given node of a distributed database-optimized storage system, according to one embodiment.

FIG. 7 is a block diagram illustrating an example configuration of a database volume, according to one embodiment.

FIG. 8 is a flow diagram illustrating a method for system-wide checkpoint avoidance in a distributed database system, according to some embodiments.

FIG. 9A is a series of illustrations demonstrating a method to perform fast crash recovery for a distributed database system, according to some embodiments.

FIG. 9B is a flow diagram illustrating a method to perform fast crash recovery for a distributed database system, according to some embodiments.

FIG. 9C is a flow diagram illustrating a method to process access requests in a recovered database, according to some embodiments.

FIG. 10 is a block diagram illustrating a computer system configured to implement at least a portion of a database system that includes a database engine and a separate distributed database storage service, according to various embodiments.

While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that the embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). The words “include,” “including,” and “includes” indicate open-ended relationships and therefore mean including, but not limited to. Similarly, the words “have,” “having,” and “has” also indicate open-ended relationships, and thus mean having, but not limited to. The terms “first,” “second,” “third,” and so forth as used herein are used as labels for nouns that they precede, and do not imply any type of ordering (e.g., spatial, temporal, logical, etc.) unless such an ordering is otherwise explicitly indicated.

Various components may be described as “configured to” perform a task or tasks. In such contexts, “configured to” is a broad recitation generally meaning “having structure that” performs the task or tasks during operation. As such, the component can be configured to perform the task even when the component is not currently performing that task (e.g., a computer system may be configured to perform operations even when the operations are not currently being performed). In some contexts, “configured to” may be a broad recitation of structure generally meaning “having circuitry that” performs the task or tasks during operation. As such, the component can be configured to perform the task even when the component is not currently on. In general, the circuitry that forms the structure corresponding to “configured to” may include hardware circuits.

Various components may be described as performing a task or tasks, for convenience in the description. Such descriptions should be interpreted as including the phrase “configured to.” Reciting a component that is configured to perform one or more tasks is expressly intended not to invoke 35 U.S.C. § 112, paragraph six, interpretation for that component.

“Based On.” As used herein, this term is used to describe one or more factors that affect a determination. This term does not foreclose additional factors that may affect a determination. That is, a determination may be solely based on those factors or based, at least in part, on those factors. Consider the phrase “determine A based on B.” While B may be a factor that affects the determination of A, such a phrase does not foreclose the determination of A from also being based on C. In other instances, A may be determined based solely on B.

The scope of the present disclosure includes any feature or combination of features disclosed herein (either explicitly or implicitly), or any generalization thereof, whether or not it mitigates any or all of the problems addressed herein. Accordingly, new claims may be formulated during prosecution of this application (or an application claiming priority thereto) to any such combination of features. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the appended claims.

DETAILED DESCRIPTION

Various embodiments of system-wide checkpoint avoidance for a distributed database system are disclosed. A storage node of a distributed storage system may, in some embodiments, receive one or more redo log records linked to a particular data page of stored on the storage node from a database system. The data page may be one of a plurality of data pages storing data for a database. A coalesce event may be detected for the particular data page based, at least in part, on the one or more redo log records linked to the particular data page. A coalesce operation may be performed to apply the one or more log records to a previously stored version of the particular data page to generate the particular data page in its current state.

Various embodiments of fast crash recovery for a distributed database system are disclosed. A database system head node may, in some embodiments, perform a failure recovery operation. Upon recovery from a system failure, connections with storage nodes of a distributed storage system that store data for a database may be established. In some embodiments, upon establishment of the connections with the storage nodes, a database head node may make the database available for access. In at least some embodiments, one or more access requests may be received, and a current state of one or more data pages may requested and received from the storage nodes.

The specification first describes an example web services-based database service configured to implement the system-wide checkpoint avoidance (e.g., creating, deletion, use, manipulation, etc.) and fast crash recovery techniques. Included in the description of the example web services-based database service are various aspects of the example web services-based database service, such as a database engine and a separate distributed database storage service. The specification then describes flowcharts of various embodiments of methods for system-wide checkpoint avoidance and fast crash recovery. Next, the specification describes an example system that may implement the disclosed techniques. Various examples are provided throughout the specification.

The systems described herein may, in some embodiments, implement a web service that enables clients (e.g., subscribers) to operate a data storage system in a cloud computing environment. In some embodiments, the data storage system may be an enterprise-class database system that is highly scalable and extensible. In some embodiments, queries may be directed to database storage that is distributed across multiple physical resources, and the database system may be scaled up or down on an as needed basis. The database system may work effectively with database schemas of various types and/or organizations, in different embodiments. In some embodiments, clients/subscribers may submit queries in a number of ways, e.g., interactively via an SQL interface to the database system. In other embodiments, external applications and programs may submit queries using Open Database Connectivity (ODBC) and/or Java Database Connectivity (JDBC) driver interfaces to the database system.

More specifically, the systems described herein may, in some embodiments, implement a service-oriented database architecture in which various functional components of a single database system are intrinsically distributed. For example, rather than lashing together multiple complete and monolithic database instances (each of which may include extraneous functionality, such as an application server, search functionality, or other functionality beyond that required to provide the core functions of a database), these systems may organize the basic operations of a database (e.g., query processing, transaction management, caching and storage) into tiers that may be individually and independently scalable. For example, in some embodiments, each database instance in the systems described herein may include a database tier (which may include a single database engine head node and a client-side storage system driver), and a separate, distributed storage system (which may include multiple storage nodes that collectively perform some of the operations traditionally performed in the database tier of existing systems).

As described in more detail herein, in some embodiments, some of the lowest level operations of a database, (e.g., backup, restore, snapshot, recovery, log record manipulation, and/or various space management operations) may be offloaded from the database engine to the storage layer and distributed across multiple nodes and storage devices. For example, in some embodiments, rather than the database engine applying changes to a database (or data pages thereof) and then sending the modified data pages to the storage layer, the application of changes to the stored database (and data pages thereof) may be the responsibility of the storage layer itself. In such embodiments, redo log records, rather than modified data pages, may be sent to the storage layer, after which redo processing (e.g., the application of the redo log records) may be performed somewhat lazily and in a distributed manner (e.g., by a background process). In some embodiments, crash recovery (e.g., the rebuilding of data pages from stored redo log records) may also be performed by the storage layer and may also be performed by a distributed (and, in some cases, lazy) background process.

In some embodiments, because only redo logs (and not modified data pages) are sent to the storage layer, there may be much less network traffic between the database tier and the storage layer than in existing database systems. In some embodiments, each redo log may be on the order of one-tenth the size of the corresponding data page for which it specifies a change. Note that requests sent from the database tier and the distributed storage system may be asynchronous and that multiple such requests may be in flight at a time.

In general, after being given a piece of data, a primary requirement of a database is that it can eventually give that piece of data back. To do this, the database may include several different components (or tiers), each of which performs a different function. For example, a traditional database may be thought of as having three tiers: a first tier for performing query parsing, optimization and execution; a second tier for providing transactionality, recovery, and durability; and a third tier that provides storage, either on locally attached disks or on network-attached storage. As noted above, previous attempts to scale a traditional database have typically involved replicating all three tiers of the database and distributing those replicated database instances across multiple machines.

In some embodiments, the systems described herein may partition functionality of a database system differently than in a traditional database, and may distribute only a subset of the functional components (rather than a complete database instance) across multiple machines in order to implement scaling. For example, in some embodiments, a client-facing tier may be configured to receive a request specifying what data is to be stored or retrieved, but not how to store or retrieve the data. This tier may perform request parsing and/or optimization (e.g., SQL parsing and optimization), while another tier may be responsible for query execution. In some embodiments, a third tier may be responsible for providing transactionality and consistency of results. For example, this tier may be configured to enforce some of the so-called ACID properties, in particular, the Atomicity of transactions that target the database, maintaining Consistency within the database, and ensuring Isolation between the transactions that target the database. In some embodiments, a fourth tier may then be responsible for providing Durability of the stored data in the presence of various sorts of faults. For example, this tier may be responsible for change logging, recovery from a database crash, managing access to the underlying storage volumes and/or space management in the underlying storage volumes.

Turning now to the figures, FIG. 1 is a block diagram illustrating various components of a database software stack, according to one embodiment. As illustrated in this example, a database instance may include multiple functional components (or layers), each of which provides a portion of the functionality of the database instance. In this example, database instance 100 includes a query parsing and query optimization layer (shown as 110), a query execution layer (shown as 120), a transactionality and consistency management layer (shown as 130), and a durability and space management layer (shown as 140). As noted above, in some existing database systems, scaling a database instance may involve duplicating the entire database instance one or more times (including all of the layers illustrated in FIG. 1), and then adding glue logic to stitch them together. In some embodiments, the systems described herein may instead offload the functionality of durability and space management layer 140 from the database tier to a separate storage layer, and may distribute that functionality across multiple storage nodes in the storage layer.

In some embodiments, the database systems described herein may retain much of the structure of the upper half of the database instance illustrated in FIG. 1, but may redistribute responsibility for at least portions of the backup, restore, snapshot, recovery, and/or various space management operations to the storage tier. Redistributing functionality in this manner and tightly coupling log processing between the database tier and the storage tier may improve performance, increase availability and reduce costs, when compared to previous approaches to providing a scalable database. For example, network and input/output bandwidth requirements may be reduced, since only redo log records (which are much smaller in size than the actual data pages) may be shipped across nodes or persisted within the latency path of write operations. In addition, the generation of data pages can be done independently in the background on each storage node (as foreground processing allows), without blocking incoming write operations. In some embodiments, the use of log-structured, non-overwrite storage may allow backup, restore, snapshots, point-in-time recovery, and volume growth operations to be performed more efficiently, e.g., by using metadata manipulation rather than movement or copying of a data page. In some embodiments, the storage layer may also assume the responsibility for the replication of data stored on behalf of clients (and/or metadata associated with that data, such as redo log records) across multiple storage nodes. For example, data (and/or metadata) may be replicated locally (e.g., within a single “availability zone” in which a collection of storage nodes executes on its own physically distinct, independent infrastructure) and/or across availability zones in a single region or in different regions.

In various embodiments, the database systems described herein may support a standard or custom application programming interface (API) for a variety of database operations. For example, the API may support operations for creating a database, creating a table, altering a table, creating a user, dropping a user, inserting one or more rows in a table, copying values, selecting data from within a table (e.g., querying a table), canceling or aborting a query, creating a snapshot, and/or other operations.

In some embodiments, the database tier of a database instance may include a database engine head node server that receives read and/or write requests from various client programs (e.g., applications) and/or subscribers (users), then parses them and develops an execution plan to carry out the associated database operation(s). For example, the database engine head node may develop the series of steps necessary to obtain results for complex queries and joins. In some embodiments, the database engine head node may manage communications between the database tier of the database system and clients/subscribers, as well as communications between the database tier and a separate distributed database-optimized storage system.

In some embodiments, the database engine head node may be responsible for receiving SQL requests from end clients through a JDBC or ODBC interface and for performing SQL processing and transaction management (which may include locking) locally. However, rather than generating data pages locally, the database engine head node (or various components thereof) may generate redo log records and may ship them to the appropriate nodes of a separate distributed storage system. In some embodiments, a client-side driver for the distributed storage system may be hosted on the database engine head node and may be responsible for routing redo log records to the storage system node (or nodes) that store the segments (or data pages thereof) to which those redo log records are directed. For example, in some embodiments, each segment may be mirrored (or otherwise made durable) on multiple storage system nodes that form a protection group. In such embodiments, the client-side driver may keep track of the nodes on which each segment is stored and may route redo logs to all of the nodes on which a segment is stored (e.g., asynchronously and in parallel, at substantially the same time), when a client request is received. As soon as the client-side driver receives an acknowledgement back from a write quorum of the storage nodes in the protection group (which may indicate that the redo log record has been written to the storage node), it may send an acknowledgement of the requested change to the database tier (e.g., to the database engine head node). For example, in embodiments in which data is made durable through the use of protection groups, the database engine head node may not be able to commit a transaction until and unless the client-side driver receives a reply from enough storage node instances to constitute a write quorum. Similarly, for a read request directed to a particular segment, the client-side driver may route the read request to all of the nodes on which the segment is stored (e.g., asynchronously and in parallel, at substantially the same time). As soon as the client-side driver receives the requested data from a read quorum of the storage nodes in the protection group, it may return the requested data to the database tier (e.g., to the database engine head node).

In some embodiments, the database tier (or more specifically, the database engine head node) may include a cache in which recently accessed data pages are held temporarily. In such embodiments, if a write request is received that targets a data page held in such a cache, in addition to shipping a corresponding redo log record to the storage layer, the database engine may apply the change to the copy of the data page held in its cache. However, unlike in other database systems, a data page held in this cache may not ever be flushed to the storage layer, and it may be discarded at any time (e.g., at any time after the redo log record for a write request that was most recently applied to the cached copy has been sent to the storage layer and acknowledged). The cache may implement any of various locking mechanisms to control access to the cache by at most one writer (or multiple readers) at a time, in different embodiments. Note, however, that in embodiments that include such a cache, the cache may not be distributed across multiple nodes, but may exist only on the database engine head node for a given database instance. Therefore, there may be no cache coherency or consistency issues to manage.

In some embodiments, the database tier may support the use of synchronous or asynchronous read replicas in the system, e.g., read-only copies of data on different nodes of the database tier to which read requests can be routed. In such embodiments, if the database engine head node for a given database receives a read request directed to a particular data page, it may route the request to any one (or a particular one) of these read-only copies. In some embodiments, the client-side driver in the database engine head node may be configured to notify these other nodes about updates and/or invalidations to cached data pages (e.g., in order to prompt them to invalidate their caches, after which they may request updated copies of updated data pages from the storage layer).

In some embodiments, the client-side driver running on the database engine head node may expose a private interface to the storage tier. In some embodiments, it may also expose a traditional iSCSI interface to one or more other components (e.g., other database engines or virtual computing services components). In some embodiments, storage for a database instance in the storage tier may be modeled as a single volume that can grow in size without limits, and that can have an unlimited number of IOPS associated with it. When a volume is created, it may be created with a specific size, with a specific availability/durability characteristic (e.g., specifying how it is replicated), and/or with an IOPS rate associated with it (e.g., both peak and sustained). For example, in some embodiments, a variety of different durability models may be supported, and users/subscribers may be able to specify, for their database, a number of replication copies, zones, or regions and/or whether replication is synchronous or asynchronous based upon their durability, performance and cost objectives.

In some embodiments, the client side driver may maintain metadata about the volume and may directly send asynchronous requests to each of the storage nodes necessary to fulfill read requests and write requests without requiring additional hops between storage nodes. For example, in some embodiments, in response to a request to make a change to a database, the client-side driver may be configured to determine the one or more nodes that are implementing the storage for the targeted data page, and to route the redo log record(s) specifying that change to those storage nodes. The storage nodes may then be responsible for applying the change specified in the redo log record to the targeted data page at some point in the future. As writes are acknowledged back to the client-side driver, the client-side driver may advance the point at which the volume is durable and may acknowledge commits back to the database tier. As previously noted, in some embodiments, the client-side driver may not ever send data pages to the storage node servers. This may not only reduce network traffic, but may also remove the need for the checkpoint or background writer threads that constrain foreground-processing throughput in previous database systems.

In some embodiments, many read requests may be served by the database engine head node cache. However, write requests may require durability, since large-scale failure events may be too common to allow only in-memory replication. Therefore, the systems described herein may be configured to minimize the cost of the redo log record write operations that are in the foreground latency path by implementing data storage in the storage tier as two regions: a small append-only log-structured region into which redo log records are written when they are received from the database tier, and a larger region in which log records are coalesced together to create new versions of data pages in the background. In some embodiments, an in-memory structure may be maintained for each data page that points to the last redo log record for that page, backward chaining log records until an instantiated data block is referenced. This approach may provide good performance for mixed read-write workloads, including in applications in which reads are largely cached.

In some embodiments, because accesses to the log-structured data storage for the redo log records may consist of a series of sequential input/output operations (rather than random input/output operations), the changes being made may be tightly packed together. It should also be noted that, in contrast to existing systems in which each change to a data page results in two input/output operations to persistent data storage (one for the redo log and one for the modified data page itself), in some embodiments, the systems described herein may avoid this “write amplification” by coalescing data pages at the storage nodes of the distributed storage system based on receipt of the redo log records.

As previously noted, in some embodiments, the storage tier of the database system may be responsible for taking database snapshots. However, because the storage tier implements log-structured storage, taking a snapshot of a data page (e.g., a data block) may include recording a timestamp associated with the redo log record that was most recently applied to the data page/block (or a timestamp associated with the most recent operation to coalesce multiple redo log records to create a new version of the data page/block), and preventing garbage collection of the previous version of the page/block and any subsequent log entries up to the recorded point in time. In such embodiments, taking a database snapshot may not require reading, copying, or writing the data block, as would be required when employing an off-volume backup strategy. In some embodiments, the space requirements for snapshots may be minimal, since only modified data would require additional space, although user/subscribers may be able to choose how much additional space they want to keep for on-volume snapshots in addition to the active data set. In different embodiments, snapshots may be discrete (e.g., each snapshot may provide access to all of the data in a data page as of a specific point in time) or continuous (e.g., each snapshot may provide access to all versions of the data that existing in a data page between two points in time). In some embodiments, reverting to a prior snapshot may include recording a log record to indicate that all redo log records and data pages since that snapshot are invalid and garbage collectable, and discarding all database cache entries after the snapshot point. In such embodiments, no roll-forward may be required since the storage system will, on a block-by-block basis, apply redo log records to data blocks as requested and in the background across all nodes, just as it does in normal forward read/write processing. Crash recovery may thereby be made parallel and distributed across nodes.

One embodiment of a service system architecture that may be configured to implement a web services-based database service is illustrated in FIG. 2. In the illustrated embodiment, a number of clients (shown as database clients 250 a-250 n) may be configured to interact with a web services platform 200 via a network 260. Web services platform 200 may be configured to interface with one or more instances of a database service 210, a distributed database-optimized storage service 220 and/or one or more other virtual computing services 230. It is noted that where one or more instances of a given component may exist, reference to that component herein may be made in either the singular or the plural. However, usage of either form is not intended to preclude the other.

In various embodiments, the components illustrated in FIG. 2 may be implemented directly within computer hardware, as instructions directly or indirectly executable by computer hardware (e.g., a microprocessor or computer system), or using a combination of these techniques. For example, the components of FIG. 2 may be implemented by a system that includes a number of computing nodes (or simply, nodes), each of which may be similar to the computer system embodiment illustrated in FIG. 10 and described below. In various embodiments, the functionality of a given service system component (e.g., a component of the database service or a component of the storage service) may be implemented by a particular node or may be distributed across several nodes. In some embodiments, a given node may implement the functionality of more than one service system component (e.g., more than one database service system component).

Generally speaking, clients 250 may encompass any type of client configurable to submit web services requests to web services platform 200 via network 260, including requests for database services (e.g., a request to generate a snapshot, etc.). For example, a given client 250 may include a suitable version of a web browser, or may include a plug-in module or other type of code module configured to execute as an extension to or within an execution environment provided by a web browser. Alternatively, a client 250 (e.g., a database service client) may encompass an application such as a database application (or user interface thereof), a media application, an office application or any other application that may make use of persistent storage resources to store and/or access one or more databases. In some embodiments, such an application may include sufficient protocol support (e.g., for a suitable version of Hypertext Transfer Protocol (HTTP)) for generating and processing web services requests without necessarily implementing full browser support for all types of web-based data. That is, client 250 may be an application configured to interact directly with web services platform 200. In some embodiments, client 250 may be configured to generate web services requests according to a Representational State Transfer (REST)-style web services architecture, a document- or message-based web services architecture, or another suitable web services architecture.

In some embodiments, a client 250 (e.g., a database service client) may be configured to provide access to web services-based storage of databases to other applications in a manner that is transparent to those applications. For example, client 250 may be configured to integrate with an operating system or file system to provide storage in accordance with a suitable variant of the storage models described herein. However, the operating system or file system may present a different storage interface to applications, such as a conventional file system hierarchy of files, directories and/or folders. In such an embodiment, applications may not need to be modified to make use of the storage system service model of FIG. 1. Instead, the details of interfacing to Web services platform 200 may be coordinated by client 250 and the operating system or file system on behalf of applications executing within the operating system environment.

Clients 250 may convey web services requests (e.g., a snapshot request, parameters of a snapshot request, read request, restore a snapshot, etc.) to and receive responses from web services platform 200 via network 260. In various embodiments, network 260 may encompass any suitable combination of networking hardware and protocols necessary to establish web-based communications between clients 250 and platform 200. For example, network 260 may generally encompass the various telecommunications networks and service providers that collectively implement the Internet. Network 260 may also include private networks such as local area networks (LANs) or wide area networks (WANs) as well as public or private wireless networks. For example, both a given client 250 and web services platform 200 may be respectively provisioned within enterprises having their own internal networks. In such an embodiment, network 260 may include the hardware (e.g., modems, routers, switches, load balancers, proxy servers, etc.) and software (e.g., protocol stacks, accounting software, firewall/security software, etc.) necessary to establish a networking link between given client 250 and the Internet as well as between the Internet and web services platform 200. It is noted that in some embodiments, clients 250 may communicate with web services platform 200 using a private network rather than the public Internet. For example, clients 250 may be provisioned within the same enterprise as a database service system (e.g., a system that implements database service 210 and/or distributed database-optimized storage service 220). In such a case, clients 250 may communicate with platform 200 entirely through a private network 260 (e.g., a LAN or WAN that may use Internet-based communication protocols but which is not publicly accessible).

Generally speaking, web services platform 200 may be configured to implement one or more service endpoints configured to receive and process web services requests, such as requests to access data pages (or records thereof). For example, web services platform 200 may include hardware and/or software configured to implement a particular endpoint, such that an HTTP-based web services request directed to that endpoint is properly received and processed. In one embodiment, web services platform 200 may be implemented as a server system configured to receive web services requests from clients 250 and to forward them to components of a system that implements database service 210, distributed database-optimized storage service 220 and/or another virtual computing service 230 for processing. In other embodiments, web services platform 200 may be configured as a number of distinct systems (e.g., in a cluster topology) implementing load balancing and other request management features configured to dynamically manage large-scale web services request processing loads. In various embodiments, web services platform 200 may be configured to support REST-style or document-based (e.g., SOAP-based) types of web services requests.

In addition to functioning as an addressable endpoint for clients' web services requests, in some embodiments, web services platform 200 may implement various client management features. For example, platform 200 may coordinate the metering and accounting of client usage of web services, including storage resources, such as by tracking the identities of requesting clients 250, the number and/or frequency of client requests, the size of data tables (or records thereof) stored or retrieved on behalf of clients 250, overall storage bandwidth used by clients 250, class of storage requested by clients 250, or any other measurable client usage parameter. Platform 200 may also implement financial accounting and billing systems, or may maintain a database of usage data that may be queried and processed by external systems for reporting and billing of client usage activity. In certain embodiments, platform 200 may be configured to collect, monitor and/or aggregate a variety of storage service system operational metrics, such as metrics reflecting the rates and types of requests received from clients 250, bandwidth utilized by such requests, system processing latency for such requests, system component utilization (e.g., network bandwidth and/or storage utilization within the storage service system), rates and types of errors resulting from requests, characteristics of stored and requested data pages or records thereof (e.g., size, data type, etc.), or any other suitable metrics. In some embodiments such metrics may be used by system administrators to tune and maintain system components, while in other embodiments such metrics (or relevant portions of such metrics) may be exposed to clients 250 to enable such clients to monitor their usage of database service 210, distributed database-optimized storage service 220 and/or another virtual computing service 230 (or the underlying systems that implement those services).

In some embodiments, platform 200 may also implement user authentication and access control procedures. For example, for a given web services request to access a particular database, platform 200 may be configured to ascertain whether the client 250 associated with the request is authorized to access the particular database. Platform 200 may determine such authorization by, for example, evaluating an identity, password or other credential against credentials associated with the particular database, or evaluating the requested access to the particular database against an access control list for the particular database. For example, if a client 250 does not have sufficient credentials to access the particular database, platform 200 may reject the corresponding web services request, for example by returning a response to the requesting client 250 indicating an error condition. Various access control policies may be stored as records or lists of access control information by database service 210, distributed database-optimized storage service 220 and/or other virtual computing services 230.

It is noted that while web services platform 200 may represent the primary interface through which clients 250 may access the features of a database system that implements database service 210, it need not represent the sole interface to such features. For example, an alternate API that may be distinct from a web services interface may be used to allow clients internal to the enterprise providing the database system to bypass web services platform 200. Note that in many of the examples described herein, distributed database-optimized storage service 220 may be internal to a computing system or an enterprise system that provides database services to clients 250, and may not be exposed to external clients (e.g., users or client applications). In such embodiments, the internal “client” (e.g., database service 210) may access distributed database-optimized storage service 220 over a local or private network, shown as the solid line between distributed database-optimized storage service 220 and database service 210 (e.g., through an API directly between the systems that implement these services). In such embodiments, the use of distributed database-optimized storage service 220 in storing databases on behalf of clients 250 may be transparent to those clients. In other embodiments, distributed database-optimized storage service 220 may be exposed to clients 250 through web services platform 200 to provide storage of databases or other information for applications other than those that rely on database service 210 for database management. This is illustrated in FIG. 2 by the dashed line between web services platform 200 and distributed database-optimized storage service 220. In such embodiments, clients of the distributed database-optimized storage service 220 may access distributed database-optimized storage service 220 via network 260 (e.g., over the Internet). In some embodiments, a virtual computing service 230 may be configured to receive storage services from distributed database-optimized storage service 220 (e.g., through an API directly between the virtual computing service 230 and distributed database-optimized storage service 220) to store objects used in performing computing services 230 on behalf of a client 250. This is illustrated in FIG. 2 by the dashed line between virtual computing service 230 and distributed database-optimized storage service 220. In some cases, the accounting and/or credentialing services of platform 200 may be unnecessary for internal clients such as administrative clients or between service components within the same enterprise.

Note that in various embodiments, different storage policies may be implemented by database service 210 and/or distributed database-optimized storage service 220. Examples of such storage policies may include a durability policy (e.g., a policy indicating the number of instances of a database (or data page thereof) that will be stored and the number of different nodes on which they will be stored) and/or a load balancing policy (which may distribute databases, or data pages thereof, across different nodes, volumes and/or disks in an attempt to equalize request traffic). In addition, different storage policies may be applied to different types of stored items by various one of the services. For example, in some embodiments, distributed database-optimized storage service 220 may implement a higher durability for redo log records than for data pages.

FIG. 3 is a block diagram illustrating various components of a database system that includes a database engine and a separate distributed database storage service, according to one embodiment. In this example, database system 300 includes a respective database engine head node 320 for each of several databases and a distributed database-optimized storage service 310 (which may or may not be visible to the clients of the database system, shown as database clients 350 a-350 n). As illustrated in this example, one or more of database clients 350 a-350 n may access a database head node 320 (e.g., head node 320 a, head node 320 b, or head node 320 c, each of which is a component of a respective database instance) via network 360 (e.g., these components may be network-addressable and accessible to the database clients 350 a-350 n). However, distributed database-optimized storage service 310, which may be employed by the database system to store data pages of one or more databases (and redo log records and/or other metadata associated therewith) on behalf of database clients 350 a-350 n, and to perform other functions of the database system as described herein, may or may not be network-addressable and accessible to the storage clients 350 a-350 n, in different embodiments. For example, in some embodiments, distributed database-optimized storage service 310 may perform various storage, access, change logging, recovery, log record manipulation, and/or space management operations in a manner that is invisible to storage clients 350 a-350 n.

As previously noted, each database instance may include a single database engine head node 320 that receives requests (e.g., a snapshot request, etc.) from various client programs (e.g., applications) and/or subscribers (users), then parses them, optimizes them, and develops an execution plan to carry out the associated database operation(s). In the example illustrated in FIG. 3, a query parsing, optimization, and execution component 305 of database engine head node 320 a may perform these functions for queries that are received from database client 350 a and that target the database instance of which database engine head node 320 a is a component. In some embodiments, query parsing, optimization, and execution component 305 may return query responses to database client 350 a, which may include write acknowledgements, requested data pages (or portions thereof), error messages, and or other responses, as appropriate. As illustrated in this example, database engine head node 320 a may also include a client-side storage service driver 325, which may route read requests and/or redo log records to various storage nodes within distributed database-optimized storage service 310, receive write acknowledgements from distributed database-optimized storage service 310, receive requested data pages from distributed database-optimized storage service 310, and/or return data pages, error messages, or other responses to query parsing, optimization, and execution component 305 (which may, in turn, return them to database client 350 a).

In this example, database engine head node 320 a includes a data page cache 335, in which data pages that were recently accessed may be temporarily held. As illustrated in FIG. 3, database engine head node 320 a may also include a transaction and consistency management component 330, which may be responsible for providing transactionality and consistency in the database instance of which database engine head node 320 a is a component. For example, this component may be responsible for ensuring the Atomicity, Consistency, and Isolation properties of the database instance and the transactions that are directed that the database instance. As illustrated in FIG. 3, database engine head node 320 a may also include a transaction log 340 and an undo log 345, which may be employed by transaction and consistency management component 330 to track the status of various transactions and roll back any locally cached results of transactions that do not commit.

Note that each of the other database engine head nodes 320 illustrated in FIG. 3 (e.g., 320 b and 320 c) may include similar components and may perform similar functions for queries received by one or more of database clients 350 a-350 n and directed to the respective database instances of which it is a component.

In some embodiments, the distributed database-optimized storage systems described herein may organize data in various logical volumes, segments, and pages for storage on one or more storage nodes. For example, in some embodiments, each database is represented by a logical volume, and each logical volume is segmented over a collection of storage nodes. Each segment, which lives on a particular one of the storage nodes, contains a set of contiguous block addresses. In some embodiments, each data page is stored in a segment, such that each segment stores a collection of one or more data pages and a change log (also referred to as a redo log) (e.g., a log of redo log records) for each data page that it stores. As described in detail herein, the storage nodes may be configured to receive redo log records (which may also be referred to herein as ULRs) and to coalesce them to create new versions of the corresponding data pages and/or additional or replacement log records (e.g., lazily and/or in response to a request for a data page or a database crash). In some embodiments, data pages and/or change logs may be mirrored across multiple storage nodes, according to a variable configuration (which may be specified by the client on whose behalf the databases are being maintained in the database system). For example, in different embodiments, one, two, or three copies of the data or change logs may be stored in each of one, two, or three different availability zones or regions, according to a default configuration, an application-specific durability preference, or a client-specified durability preference.

As used herein, the following terms may be used to describe the organization of data by a distributed database-optimized storage system, according to various embodiments.

Volume: A volume is a logical concept representing a highly durable unit of storage that a user/client/application of the storage system understands. More specifically, a volume is a distributed store that appears to the user/client/application as a single consistent ordered log of write operations to various user pages of a database. Each write operation may be encoded in a User Log Record (ULR), which represents a logical, ordered mutation to the contents of a single user page within the volume. As noted above, a ULR may also be referred to herein as a redo log record. Each ULR may include a unique identifier (e.g., a Logical Sequence Number (LSN)). Each ULR may be persisted to one or more synchronous segments in the distributed store that form a Protection Group (PG), to provide high durability and availability for the ULR. A volume may provide an LSN-type read/write interface for a variable-size contiguous range of bytes.

In some embodiments, a volume may consist of multiple extents, each made durable through a protection group. In such embodiments, a volume may represent a unit of storage composed of a mutable contiguous sequence of Volume Extents. Reads and writes that are directed to a volume may be mapped into corresponding reads and writes to the constituent volume extents. In some embodiments, the size of a volume may be changed by adding or removing volume extents from the end of the volume.

Segment: A segment is a limited-durability unit of storage assigned to a single storage node. More specifically, a segment provides limited best-effort durability (e.g., a persistent, but non-redundant single point of failure that is a storage node) for a specific fixed-size byte range of data. This data may in some cases be a mirror of user-addressable data, or it may be other data, such as volume metadata or erasure coded bits, in various embodiments. A given segment may live on exactly one storage node. Within a storage node, multiple segments may live on each SSD, and each segment may be restricted to one SSD (e.g., a segment may not span across multiple SSDs). In some embodiments, a segment may not be required to occupy a contiguous region on an SSD; rather there may be an allocation map in each SSD describing the areas that are owned by each of the segments. As noted above, a protection group may consist of multiple segments spread across multiple storage nodes. In some embodiments, a segment may provide an LSN-type read/write interface for a fixed-size contiguous range of bytes (where the size is defined at creation). In some embodiments, each segment may be identified by a Segment UUID (e.g., a universally unique identifier of the segment).

Storage page: A storage page is a block of memory, generally of fixed size. In some embodiments, each page is a block of memory (e.g., of virtual memory, disk, or other physical memory) of a size defined by the operating system, and may also be referred to herein by the term “data block”. More specifically, a storage page may be a set of contiguous sectors. It may serve as the unit of allocation in SSDs, as well as the unit in log pages for which there is a header and metadata. In some embodiments, and in the context of the database systems described herein, the term “page” or “storage page” may refer to a similar block of a size defined by the database configuration, which may typically a multiple of 2, such as 4096, 8192, 16384, or 32768 bytes.

Log page: A log page is a type of storage page that is used to store log records (e.g., redo log records or undo log records). In some embodiments, log pages may be identical in size to storage pages. Each log page may include a header containing metadata about that log page, e.g., metadata identifying the segment to which it belongs. Note that a log page is a unit of organization and may not necessarily be the unit of data included in write operations. For example, in some embodiments, during normal forward processing, write operations may write to the tail of the log one sector at a time.

Log Records: Log records (e.g., the individual elements of a log page) may be of several different classes. For example, User Log Records (ULRs), which are created and understood by users/clients/applications of the storage system, may be used to indicate changes to user data in a volume. Control Log Records (CLRs), which are generated by the storage system, may contain control information used to keep track of metadata such as the current unconditional volume durable LSN (VDL). Null Log Records (NLRs) may in some embodiments be used as padding to fill in unused space in a log sector or log page. In some embodiments, there may be various types of log records within each of these classes, and the type of a log record may correspond to a function that needs to be invoked to interpret the log record. For example, one type may represent all the data of a user page in compressed format using a specific compression format; a second type may represent new values for a byte range within a user page; a third type may represent an increment operation to a sequence of bytes interpreted as an integer; and a fourth type may represent copying one byte range to another location within the page. In some embodiments, log record types may be identified by GUIDs (rather than by integers or enums), which may simplify versioning and development, especially for ULRs.

Payload: The payload of a log record is the data or parameter values that are specific to the log record or to log records of a particular type. For example, in some embodiments, there may be a set of parameters or attributes that most (or all) log records include, and that the storage system itself understands. These attributes may be part of a common log record header/structure, which may be relatively small compared to the sector size. In addition, most log records may include additional parameters or data specific to that log record type, and this additional information may be considered the payload of that log record. In some embodiments, if the payload for a particular ULR is larger than the user page size, it may be replaced by an absolute ULR (an AULR) whose payload includes all the data for the user page. This may enable the storage system to enforce an upper limit on the size of the payload for ULRs that is equal to the size of user pages.

Note that when storing log records in the segment log, the payload may be stored along with the log header, in some embodiments. In other embodiments, the payload may be stored in a separate location, and pointers to the location at which that payload is stored may be stored with the log header. In still other embodiments, a portion of the payload may be stored in the header, and the remainder of the payload may be stored in a separate location. If the entire payload is stored with the log header, this may be referred to as in-band storage; otherwise the storage may be referred to as being out-of-band. In some embodiments, the payloads of most large AULRs may be stored out-of-band in the cold zone of log (which is described below).

User pages: User pages are the byte ranges (of a fixed size) and alignments thereof for a particular volume that are visible to users/clients of the storage system. User pages are a logical concept, and the bytes in particular user pages may or not be stored in any storage page as-is. The size of the user pages for a particular volume may be independent of the storage page size for that volume. In some embodiments, the user page size may be configurable per volume, and different segments on a storage node may have different user page sizes. In some embodiments, user page sizes may be constrained to be a multiple of the sector size (e.g., 4 KB), and may have an upper limit (e.g., 64 KB). The storage page size, on the other hand, may be fixed for an entire storage node and may not change unless there is a change to the underlying hardware.

Data page: A data page is a type of storage page that is used to store user page data in compressed form. In some embodiments every piece of data stored in a data page is associated with a log record, and each log record may include a pointer to a sector within a data page (also referred to as a data sector). In some embodiments, data pages may not include any embedded metadata other than that provided by each sector. There may be no relationship between the sectors in a data page. Instead, the organization into pages may exist only as an expression of the granularity of the allocation of data to a segment.

Storage node: A storage node is a single virtual machine that on which storage node server code is deployed. Each storage node may contain multiple locally attached SSDs, and may provide a network API for access to one or more segments. In some embodiments, various nodes may be on an active list or on a degraded list (e.g., if they are slow to respond or are otherwise impaired, but are not completely unusable). In some embodiments, the client-side driver may assist in (or be responsible for) classifying nodes as active or degraded, for determining if and when they should be replaced, and/or for determining when and how to redistribute data among various nodes, based on observed performance.

SSD: As referred to herein, the term “SSD” may refer to a local block storage volume as seen by the storage node, regardless of the type of storage employed by that storage volume, e.g., disk, a solid-state drive, a battery-backed RAM, a non-volatile RAM device (e.g., one or more NV-DIMMs) or another type of persistent storage device. An SSD is not necessarily mapped directly to hardware. For example, a single solid-state storage device might be broken up into multiple local volumes where each volume is split into and striped across multiple segments, and/or a single drive may be broken up into multiple volumes simply for ease of management, in different embodiments. In some embodiments, each SSD may store an allocation map at a single fixed location. This map may indicate which storage pages that are owned by particular segments, and which of these pages are log pages (as opposed to data pages). In some embodiments, storage pages may be pre-allocated to each segment so that forward processing may not need to wait for allocation. Any changes to the allocation map may need to be made durable before newly allocated storage pages are used by the segments.

One embodiment of a distributed database-optimized storage system is illustrated by the block diagram in FIG. 4. In this example, a database system 400 includes a distributed database-optimized storage system 410, which communicates with a database engine head node 420 over interconnect 460. As in the example illustrated in FIG. 3, database engine head node 420 may include a client-side storage service driver 425. In this example, distributed database-optimized storage system 410 includes multiple storage system server nodes (including those shown as 430, 440, and 450), each of which includes storage for data pages and redo logs for the segment(s) it stores, and hardware and/or software configured to perform various segment management functions. For example, each storage system server node may include hardware and/or software configured to perform at least a portion of any or all of the following operations: replication (locally, e.g., within the storage node), coalescing of redo logs to generate data pages, snapshots (e.g., creating, restoration, deletion, etc.), log management (e.g., manipulating log records), crash recovery, and/or space management (e.g., for a segment). Each storage system server node may also have multiple attached storage devices (e.g., SSDs) on which data blocks may be stored on behalf of clients (e.g., users, client applications, and/or database service subscribers).

In the example illustrated in FIG. 4, storage system server node 430 includes data page(s) 433, segment redo log(s) 435, segment management functions 437, and attached SSDs 471-478. Again note that the label “SSD” may or may not refer to a solid-state drive, but may more generally refer to a local block storage volume, regardless of its underlying hardware. Similarly, storage system server node 440 includes data page(s) 443, segment redo log(s) 445, segment management functions 447, and attached SSDs 481-488; and storage system server node 450 includes data page(s) 453, segment redo log(s) 455, segment management functions 457, and attached SSDs 491-498.

As previously noted, in some embodiments, a sector is the unit of alignment on an SSD and may be the maximum size on an SSD that can be written without the risk that the write will only be partially completed. For example, the sector size for various solid-state drives and spinning media may be 4 KB. In some embodiments of the distributed database-optimized storage systems described herein, each and every sector may include have a 64-bit (8 byte) CRC at the beginning of the sector, regardless of the higher-level entity of which the sector is a part. In such embodiments, this CRC (which may be validated every time a sector is read from SSD) may be used in detecting corruptions. In some embodiments, each and every sector may also include a “sector type” byte whose value identifies the sector as a log sector, a data sector, or an uninitialized sector. For example, in some embodiments, a sector type byte value of 0 may indicate that the sector is uninitialized.

In some embodiments, each of the storage system server nodes in the distributed database-optimized storage system may implement a set of processes running on the node server's operating system that manage communication with the database engine head node, e.g., to receive redo logs, send back data pages, etc. In some embodiments, all data blocks written to the distributed database-optimized storage system may be backed up to long-term and/or archival storage (e.g., in a remote key-value durable backup storage system).

FIG. 5 is a block diagram illustrating the use of a separate distributed database-optimized storage system in a database system, according to one embodiment. In this example, one or more client processes 510 may store data to one or more databases maintained by a database system that includes a database engine 520 and a distributed database-optimized storage system 530. In the example illustrated in FIG. 5, database engine 520 includes database tier components 560 and client-side driver 540 (which serves as the interface between distributed database-optimized storage system 530 and database tier components 560). In some embodiments, database tier components 560 may perform functions such as those performed by query parsing, optimization and execution component 305 and transaction and consistency management component 330 of FIG. 3, and/or may store data pages, transaction logs and/or undo logs (such as those stored by data page cache 335, transaction log 340 and undo log 345 of FIG. 3).

In this example, one or more client processes 510 may send database query requests 515 (which may include read and/or write requests targeting data stored on one or more of the storage nodes 535 a-535 n) to database tier components 560, and may receive database query responses 517 from database tier components 560 (e.g., responses that include write acknowledgements and/or requested data). Each database query request 515 that includes a request to write to a data page may be parsed and optimized to generate one or more write record requests 541, which may be sent to client-side driver 540 for subsequent routing to distributed database-optimized storage system 530. In this example, client-side driver 540 may generate one or more redo log records 531 corresponding to each write record request 541, and may send them to specific ones of the storage nodes 535 of distributed database-optimized storage system 530. Distributed database-optimized storage system 530 may return a corresponding write acknowledgement 523 for each redo log record 531 to database engine 520 (specifically to client-side driver 540). Client-side driver 540 may pass these write acknowledgements to database tier components 560 (as write responses 542), which may then send corresponding responses (e.g., write acknowledgements) to one or more client processes 510 as one of database query responses 517.

In this example, each database query request 515 that includes a request to read a data page may be parsed and optimized to generate one or more read record requests 543, which may be sent to client-side driver 540 for subsequent routing to distributed database-optimized storage system 530. In this example, client-side driver 540 may send these requests to specific ones of the storage nodes 535 of distributed database-optimized storage system 530, and distributed database-optimized storage system 530 may return the requested data pages 533 to database engine 520 (specifically to client-side driver 540). Client-side driver 540 may send the returned data pages to the database tier components 560 as return data records 544, and database tier components 560 may then send the data pages to one or more client processes 510 as database query responses 517.

In some embodiments, various error and/or data loss messages 534 may be sent from distributed database-optimized storage system 530 to database engine 520 (specifically to client-side driver 540). These messages may be passed from client-side driver 540 to database tier components 560 as error and/or loss reporting messages 545, and then to one or more client processes 510 along with (or instead of) a database query response 517.

In some embodiments, the APIs 531-534 of distributed database-optimized storage system 530 and the APIs 541-545 of client-side driver 540 may expose the functionality of the distributed database-optimized storage system 530 to database engine 520 as if database engine 520 were a client of distributed database-optimized storage system 530. For example, database engine 520 (through client-side driver 540) may write redo log records or request data pages through these APIs to perform (or facilitate the performance of) various operations of the database system implemented by the combination of database engine 520 and distributed database-optimized storage system 530 (e.g., storage, access, change logging, recovery, and/or space management operations). As illustrated in FIG. 5, distributed database-optimized storage system 530 may store data blocks on storage nodes 535 a-535 n, each of which may have multiple attached SSDs. In some embodiments, distributed database-optimized storage system 530 may provide high durability for stored data block through the application of various types of redundancy schemes.

Note that in various embodiments, the API calls and responses between database engine 520 and distributed database-optimized storage system 530 (e.g., APIs 531-534) and/or the API calls and responses between client-side driver 540 and database tier components 560 (e.g., APIs 541-545) in FIG. 5 may be performed over a secure proxy connection (e.g., one managed by a gateway control plane), or may be performed over the public network or, alternatively, over a private channel such as a virtual private network (VPN) connection. These and other APIs to and/or between components of the database systems described herein may be implemented according to different technologies, including, but not limited to, Simple Object Access Protocol (SOAP) technology and Representational state transfer (REST) technology. For example, these APIs may be, but are not necessarily, implemented as SOAP APIs or RESTful APIs. SOAP is a protocol for exchanging information in the context of Web-based services. REST is an architectural style for distributed hypermedia systems. A RESTful API (which may also be referred to as a RESTful web service) is a web service API implemented using HTTP and REST technology. The APIs described herein may in some embodiments be wrapped with client libraries in various languages, including, but not limited to, C, C++, Java, C# and Perl to support integration with database engine 520 and/or distributed database-optimized storage system 530.

As noted above, in some embodiments, the functional components of a database system may be partitioned between those that are performed by the database engine and those that are performed in a separate, distributed, database-optimized storage system. In one specific example, in response to receiving a request from a client process (or a thread thereof) to insert something into a database (e.g., to update a single data block by adding a record to that data block), one or more components of the database engine head node may perform query parsing, optimization, and execution, and may send each portion of the query to a transaction and consistency management component. The transaction and consistency management component may ensure that no other client process (or thread thereof) is trying to modify the same row at the same time. For example, the transaction and consistency management component may be responsible for ensuring that this change is performed atomically, consistently, durably, and in an isolated manner in the database. For example, the transaction and consistency management component may work together with the client-side storage service driver of the database engine head node to generate a redo log record to be sent to one of the nodes in the distributed database-optimized storage service and to send it to the distributed database-optimized storage service (along with other redo logs generated in response to other client requests) in an order and/or with timing that ensures the ACID properties are met for this transaction. Upon receiving the redo log record (which may be considered an “update record” by the storage service), the corresponding storage node may update the data block, and may update a redo log for the data block (e.g., a record of all changes directed to the data block). In some embodiments, the database engine may be responsible for generating an undo log record for this change, and may also be responsible for generating a redo log record for the undo log both of which may be used locally (in the database tier) for ensuring transactionality. However, unlike in traditional database systems, the systems described herein may shift the responsibility for applying changes to data blocks to the storage system (rather than applying them at the database tier and shipping the modified data blocks to the storage system). Moreover, as described herein at FIGS. 8-9B, in various embodiments, system-wide checkpoint may be avoided at the database system along with fast recovery from a database system crash due to various log record operations that may be performed by the storage system as well.

A variety of different allocation models may be implemented for an SSD, in different embodiments. For example, in some embodiments, log entry pages and physical application pages may be allocated from a single heap of pages associated with an SSD device. This approach may have the advantage of leaving the relative amount of storage consumed by log pages and data pages to remain unspecified and to adapt automatically to usage. It may also have the advantage of allowing pages to remain unprepared until they are used, and repurposed at will without preparation. In other embodiments, an allocation model may partition the storage device into separate spaces for log entries and data pages. Once such allocation model is illustrated by the block diagram in FIG. 6 and described below.

FIG. 6 is a block diagram illustrating how data and metadata may be stored on a given storage node (or persistent storage device) of a distributed database-optimized storage system, according to one embodiment. In this example, SSD storage space 600 stores an SSD header and other fixed metadata in the portion of the space labeled 610. It stores log pages in the portion of the space labeled 620, and includes a space labeled 630 that is initialized and reserved for additional log pages. One portion of SSD storage space 600 (shown as 640) is initialized, but unassigned, and another portion of the space (shown as 650) is uninitialized and unassigned. Finally, the portion of SSD storage space 600 labeled 660 stores data pages.

In this example, the first usable log page slot is noted as 615, and the last used log page slot (ephemeral) is noted as 625. The last reserved log page slot is noted as 635, and the last usable log page slot is noted as 645. In this example, the first used data page slot (ephemeral) is noted as 665. In some embodiments, the positions of each of these elements (615, 625, 635, 645, and 665) within SSD storage space 600 may be identified by a respective pointer.

In allocation approach illustrated in FIG. 6, valid log pages may be packed into the beginning of the flat storage space. Holes that open up due to log pages being freed may be reused before additional log page slots farther into the address space are used. For example, in the worst case, the first n log page slots contain valid log data, where n is the largest number of valid log pages that have ever simultaneously existed. In this example, valid data pages may be packed into the end of the flat storage space. Holes that open up due to data pages being freed may be reused before additional data page slots lower in the address space are used. For example, in the worst case, the last m data pages contain valid data, where m is the largest number of valid data pages that have ever simultaneously existed.

In some embodiments, before a log page slot can become part of the potential set of valid log page entries, it may need to be initialized to a value that cannot be confused for a valid future log entry page. This is implicitly true for recycled log page slots, since a retired log page has enough metadata to never be confused for a new valid log page. However, when a storage device is first initialized, or when space is reclaimed that had potentially been used to store application data pages, the log page slots may need to be initialized before they are added to the log page slot pool. In some embodiments, rebalancing/reclaiming log space may be performed as a background task.

In the example illustrated in FIG. 6, the current log page slot pool includes the area between the first usable log page slot (at 615) and the last reserved log page slot (625). In some embodiments, this pool may safely grow up to last usable log page slot (625) without re-initialization of new log page slots (e.g., by persisting an update to the pointer that identifies the last reserved log page slot, 635). In this example, beyond the last usable log page slot (which is identified by pointer 645), the pool may grow up to the first used data page slot (which is identified by pointer 665) by persisting initialized log page slots and persistently updating the pointer for the last usable log page slot (645). In this example, the previously uninitialized and unassigned portion of the SSD storage space 600 shown as 650 may be pressed into service to store log pages. In some embodiments, the current log page slot pool may be shrunk down to the position of the last used log page slot (which is identified by pointer) by persisting an update to the pointer for the last reserved log page slot (635).

In the example illustrated in FIG. 6, the current data page slot pool includes the area between the last usable log page slot (which is identified by pointer 645) and the end of SSD storage space 600. In some embodiments, the data page pool may be safely grown to the position identified by the pointer to the last reserved log page slot (635) by persisting an update to the pointer to the last usable log page slot (645). In this example, the previously initialized, but unassigned portion of the SSD storage space 600 shown as 640 may be pressed into service to store data pages. Beyond this, the pool may be safely grown to the position identified by the pointer to the last used log page slot (625) by persisting updates to the pointers for the last reserved log page slot (635) and the last usable log page slot (645), effectively reassigning the portions of SSD storage space 600 shown as 630 and 640 to store data pages, rather than log pages. In some embodiments, the data page slot pool may be safely shrunk down to the position identified by the pointer to the first used data page slot (665) by initializing additional log page slots and persisting an update to the pointer to the last usable log page slot (645).

In embodiments that employ the allocation approach illustrated in FIG. 6, page sizes for the log page pool and the data page pool may be selected independently, while still facilitating good packing behavior. In such embodiments, there may be no possibility of a valid log page linking to a spoofed log page formed by application data, and it may be possible to distinguish between a corrupted log and a valid log tail that links to an as-yet-unwritten next page. In embodiments that employ the allocation approach illustrated in FIG. 6, at startup, all of the log page slots up to the position identified by the pointer to the last reserved log page slot (635) may be rapidly and sequentially read, and the entire log index may be reconstructed (including inferred linking/ordering). In such embodiments, there may be no need for explicit linking between log pages, since everything can be inferred from LSN sequencing constraints.

In some embodiments, a segment may consist of three main parts (or zones): one that contains a hot log, one that contains a cold log, and one that contains user page data. Zones are not necessarily contiguous regions of an SSD. Rather, they can be interspersed at the granularity of the storage page. In addition, there may be a root page for each segment that stores metadata about the segment and its properties. For example, the root page for a segment may store the user page size for the segment, the number of user pages in the segment, the current beginning/head of the hot log zone (which may be recorded in the form of a flush number), the volume epoch, and/or access control metadata.

In some embodiments, the hot log zone may accept new writes from the client as they are received by the storage node. Both Delta User Log Records (DULRs), which specify a change to a user/data page in the form of a delta from the previous version of the page, and Absolute User Log Records (AULRs), which specify the contents of a complete user/data page, may be written completely into the log. Log records may be added to this zone in approximately the order they are received (e.g., they are not sorted by LSN) and they can span across log pages. The log records may be self-describing, e.g., they may contain an indication of their own size. In some embodiments, no garbage collection is performed in this zone. Instead, space may be reclaimed by truncating from the beginning of the log after all required log records have been copied into the cold log. Log sectors in the hot zone may be annotated with the most recent known unconditional VDL each time a sector is written. Conditional VDL CLRs may be written into the hot zone as they are received, but only the most recently written VDL CLR may be meaningful.

In some embodiments, every time a new log page is written, it may be assigned a flush number. The flush number may be written as part of every sector within each log page. Flush numbers may be used to determine which log page was written later when comparing two log pages. Flush numbers are monotonically increasing and scoped to an SSD (or storage node). For example, a set of monotonically increasing flush numbers is shared between all segments on an SSD (or all segments on a storage node).

In some embodiments, in the cold log zone, log records may be stored in increasing order of their LSNs. In this zone, AULRs may not necessarily store data in-line, depending on their size. For example, if they have large payloads, all or a portion of the payloads may be stored in the data zone and they may point to where their data is stored in the data zone. In some embodiments, log pages in the cold log zone may be written one full page at a time, rather than sector-by-sector. Because log pages in the cold zone are written a full page at a time, any log page in the cold zone for which the flush numbers in all sectors are not identical may be considered to be an incompletely written page and may be ignored. In some embodiments, in the cold log zone, DULRs may be able to span across log pages (up to a maximum of two log pages). However, AULRs may not be able to span log sectors, e.g., so that a coalesce operation will be able to replace a DULR with an AULR in a single atomic write.

In some embodiments, the cold log zone is populated by copying log records from the hot log zone. In such embodiments, only log records whose LSN is less than or equal to the current unconditional volume durable LSN (VDL) may be eligible to be copied to the cold log zone. When moving log records from the hot log zone to the cold log zone, some log records (such as many CLRs) may not need to be copied because they are no longer necessary. In addition, some additional coalescing of user pages may be performed at this point, which may reduce the amount of copying required. In some embodiments, once a given hot zone log page has been completely written and is no longer the newest hot zone log page, and all ULRs on the hot zone log page have been successfully copied to the cold log zone, the hot zone log page may be freed and reused.

In some embodiments, garbage collection may be done in the cold log zone to reclaim space occupied by obsolete log records, e.g., log records that no longer need to be stored in the SSDs of the storage tier. For example, a log record may become obsolete when there is a subsequent AULR for the same user page and the version of the user page represented by the log record is not needed for retention on SSD. In some embodiments, a garbage collection process may reclaim space by merging two or more adjacent log pages and replacing them with fewer new log pages containing all of the non-obsolete log records from the log pages that they are replacing. The new log pages may be assigned new flush numbers that are larger than the flush numbers of the log pages they are replacing. After the write of these new log pages is complete, the replaced log pages may be added to the free page pool. Note that in some embodiments, there may not be any explicit chaining of log pages using any pointers. Instead, the sequence of log pages may be implicitly determined by the flush numbers on those pages. Whenever multiple copies of a log record are found, the log record present in the log page with highest flush number may be considered to be valid and the others may be considered to be obsolete.

In some embodiments, e.g., because the granularity of space managed within a data zone (sector) may be different from the granularity outside the data zone (storage page), there may be some fragmentation. In some embodiments, to keep this fragmentation under control, the system may keep track of the number of sectors used by each data page, may preferentially allocate from almost-full data pages, and may preferentially garbage collect almost-empty data pages (which may require moving data to a new location if it is still relevant). Note that pages allocated to a segment may in some embodiments be repurposed among the three zones. For example, when a page that was allocated to a segment is freed, it may remain associated with that segment for some period of time and may subsequently be used in any of the three zones of that segment. The sector header of every sector may indicate the zone to which the sector belongs. Once all sectors in a page are free, the page may be returned to a common free storage page pool that is shared across zones. This free storage page sharing may in some embodiments reduce (or avoid) fragmentation.

In some embodiments, the distributed database-optimized storage systems described herein may maintain various data structures in memory. For example, for each user page present in a segment, a user page table may store a bit indicating whether or not this user page is “cleared” (i.e., whether it includes all zeroes), the LSN of the latest log record from the cold log zone for the page, and an array/list of locations of all log records from the hot log zone for page. For each log record, the user page table may store the sector number, the offset of the log record within that sector, the number of sectors to read within that log page, the sector number of a second log page (if the log record spans log pages), and the number of sectors to read within that log page. In some embodiments, the user page table may also store the LSNs of every log record from the cold log zone and/or an array of sector numbers for the payload of the latest AULR if it is in the cold log zone.

In some embodiments of the distributed database-optimized storage systems described herein, an LSN index may be stored in memory. An LSN index may map LSNs to log pages within the cold log zone. Given that log records in cold log zone are sorted, it may be to include one entry per log page. However, in some embodiments, every non-obsolete LSN may be stored in the index and mapped to the corresponding sector numbers, offsets, and numbers of sectors for each log record.

In some embodiments of the distributed database-optimized storage systems described herein, a log page table may be stored in memory, and the log page table may be used during garbage collection of the cold log zone. For example, the log page table may identify which log records are obsolete (e.g., which log records can be garbage collected) and how much free space is available on each log page.

In the storage systems described herein, an extent may be a logical concept representing a highly durable unit of storage that can be combined with other extents (either concatenated or striped) to represent a volume. Each extent may be made durable by membership in a single protection group. An extent may provide an LSN-type read/write interface for a contiguous byte sub-range having a fixed size that is defined at creation. Read/write operations to an extent may be mapped into one or more appropriate segment read/write operations by the containing protection group. As used herein, the term “volume extent” may refer to an extent that is used to represent a specific sub-range of bytes within a volume.

As noted above, a volume may consist of multiple extents, each represented by a protection group consisting of one or more segments. In some embodiments, log records directed to different extents may have interleaved LSNs. For changes to the volume to be durable up to a particular LSN it may be necessary for all log records up to that LSN to be durable, regardless of the extent to which they belong. In some embodiments, the client may keep track of outstanding log records that have not yet been made durable, and once all ULRs up to a specific LSN are made durable, it may send a Volume Durable LSN (VDL) message to one of the protection groups in the volume. The VDL may be written to all synchronous mirror segments for the protection group. This is sometimes referred to as an “Unconditional VDL” and it may be periodically persisted to various segments (or more specifically, to various protection groups) along with write activity happening on the segments. In some embodiments, the Unconditional VDL may be stored in log sector headers.

In various embodiments, the operations that may be performed on a segment may include writing a DULR or AULR received from a client (which may involve writing the DULR or AULR to the tail of the hot log zone and then updating the user page table), reading a cold user page (which may involve locating the data sectors of the user page and returning them without needing to apply any additional DULRs), reading a hot user page (which may involve locating the data sectors of the most recent AULR for the user page and apply any subsequent DULRs to the user page before returning it), replacing DULRs with AULRs (which may involve coalescing DULRs for a user page to create an AULR that replaces the last DULR that was applied), manipulating the log records, etc. As described herein coalescing is the process of applying DULRs to an earlier version of a user page to create a later version of the user page. Coalescing a user page may help reduce read latency because (until another DULR is written) all DULRs written prior to coalescing may not need to be read and applied on demand. It may also help reclaim storage space by making old AULRs and DULRs obsolete (provided there is no snapshot requiring the log records to be present). In some embodiments, a coalescing operation may include locating a most recent AULR and applying any subsequent DULRs in sequence without skipping any of the DULRs. As noted above, in some embodiments, coalescing may not be performed within the hot log zone. Instead, it may be performed within the cold log zone. In some embodiments, coalescing may also be performed as log records are copied from the hot log zone to the cold log zone.

In some embodiments, the decision to coalesce a user page may be triggered by the size of the pending DULR chain for the page (e.g., if the length of the DULR chain exceeds a pre-defined threshold for a coalescing operation, according to a system-wide, application-specific or client-specified policy)), or by the user page being read by a client.

FIG. 7 is a block diagram illustrating an example configuration of a database volume 710, according to one embodiment. In this example, data corresponding to each of various address ranges 715 (shown as address ranges 715 a-715 e) is stored as different segments 745 (shown as segments 745 a-745 n). More specifically, data corresponding to each of various address ranges 715 may be organized into different extents (shown as extents 725 a-725 b, and extents 735 a-735 h), and various ones of these extents may be included in different protection groups 730 (shown as 730 a-730 f), with or without striping (such as that shown as stripe set 720 a and stripe set 720 b). In this example, protection group 1 illustrates the use of erasure coding. In this example, protection groups 2 and 3 and protection groups 6 and 7 represent mirrored data sets of each other, while protection group 4 represents a single-instance (non-redundant) data set. In this example, protection group 8 represents a multi-tier protection group that combines other protection groups (e.g., this may represent a multi-region protection group). In this example, stripe set 1 (720 a) and stripe set 2 (720 b) illustrates how extents (e.g., extents 725 a and 725 b) may be striped into a volume, in some embodiments.

More specifically, in this example, protection group 1 (730 a) includes extents a-c (735 a-735 c), which include data from ranges 1-3 (715 a-715 c), respectively, and these extents are mapped to segments 1-4 (745 a-745 d). Protection group 2 (730 b) includes extent d (735 d), which includes data striped from range 4 (715 d), and this extent is mapped to segments 5-7 (745 e-745 g). Similarly, protection group 3 (730 c) includes extent e (735 e), which includes data striped from range 4 (715 d), and is mapped to segments 8-9 (745 h-745 i); and protection group 4 (730 d) includes extent f (735 f), which includes data striped from range 4 (715 d), and is mapped to segment 10 (745 j). In this example, protection group 6 (730 e) includes extent g (735 g), which includes data striped from range 5 (715 e), and is mapped to segments 11-12 (745 k-745 l); and protection group 7 (730 f) includes extent h (735 h), which also includes data striped from range 5 (715 e), and is mapped to segments 13-14 (745 m-745 n).

Turning now to FIG. 8, in various embodiments, as described above, a database system may be configured to generate redo log records in response to various access requests (e.g., write requests) for data stored within data pages on storage nodes and send the redo log records to the storage nodes that store the respective data pages for which the redo log records were generated. Storage nodes may detect a coalesce event for a particular data page and in response perform a coalesce operation for the particular data page. A typical database system by contrast, may apply a system-wide checkpoint that flushes all of the generated redo logs to be applied to stored data at periodic intervals, thus disrupting the processing of access requests and other tasks performed by the database.

While the method of FIG. 8 may be described as being performed by various components of a log-structured storage system, such as distributed database-optimized storage system 410 (e.g. storage system server node(s) 430, 440, 450, etc.), the method need not be performed by any specific component in some cases. For instance, in some cases, the method of FIG. 8 may be performed by some other component or computer system, according to some embodiments. Or, in some cases, components of database system 400 may be combined or exist in a different manner than that shown in the example of FIG. 4. In various embodiments, the method of FIG. 8 may be performed by one or more computers of a distributed database-optimized storage system, one of which is shown as the computer system of FIG. 10. The method of FIG. 8 is shown as one example implementation of a method for system-wide checkpoint avoidance. In other implementations, the method of FIG. 8 may include additional or fewer blocks than are shown.

As indicated at 810, redo log records linked to a particular data page stored for a database may be maintained. These redo log records (sometimes referred to as ULRs as described above) may describe a change to user data. Redo log records may be linked to a particular portion of user data, such as a data page. For example, in some embodiments redo log records may form a chain of redo log records ultimately linked to a particular data page with each redo log record pointing to the previously received redo log record for the data page. Using this example, if three redo log records are linked to the particular data page, then the most recently received redo log record will point to the next most recently received redo log record, which will in turn point to the third most recently received redo log record, which points to the most recently saved state of the data page. Please note that the logical ordering of the redo log records indicated by each pointer to a prior redo log record does not imply that such redo log records are physically stored in such an order. As discussed above with regard to FIG. 6, these redo log records may, in some embodiments, be interleaved with other redo log records linked to other portions of user data. Therefore, the previous example is not intended to be limiting.

In various embodiments, redo log records may be received from a database system, such as database engine head node 420, which may manage one or more databases for which data may be stored at a storage node, such as storage node 430, 440, 450, etc. However, in at least some embodiments a storage node may receive redo log records from one or more additional database systems or nodes for which the storage node stores data. These other database systems or nodes may also send redo log records linked to particular portions of data stored for their respective databases at the storage node.

Received redo log records may then be stored, in some embodiments. FIG. 6 describes various embodiments of how such redo log records may be received, processed, and stored at a storage node. Various forms of metadata may be maintained for the stored redo log records, such as a number or count of redo log records linked to a particular portion data, such as a data page. For instance, if as in the example given above, three redo log records are linked to a particular data page, then the redo log record count for the particular data page may be maintained at three. Other metadata concerning redo log records, such as size or physical location, and the portions of data to which they are linked may be maintained, such as pointers to various other log records or pointers to the most recently saved state of a data page.

Updates to metadata maintained for the stored redo log records may be made in response to changes to the redo log records themselves, changes to the particular data page to which they are linked, or operations or other methods or techniques performed by utilizing, or with regard to, the redo log records. For example, if a coalesce operation, as indicated at 830, is performed applying one or more redo log records linked to a particular data page to generate a current state of the data page, then the redo log record count may be updated to remove those applied redo log records from the redo log record count for the particular data page.

In various embodiments, a coalesce event for the particular data page may be detected, as indicated at 820, based, at least in part on the one or more redo log records linked to the particular data page. A detected coalesce event, may indicate that a coalesce operation may be performed for the particular data page. In at least some embodiments, detecting a coalesce event for a particular data page may occur independently from or without regard to coalesce events detected for other data pages. Consider the scenario where a particular data page may be a “hot” data page for which many redo log records are received. Redo log records may be received vary rarely for other data pages. Detecting a coalesce event may be based on the number of redo log records linked to the respective data page exceeding a coalesce threshold, and thus in this scenario, a coalesce event may be detected more frequently for the particular “hot” data page than for the other data pages.

Detecting a coalesce event may be performed as part of a storage node monitoring component or process that may run as a background process where foreground processes that handle read, write, and other access requests may be performed prior to (or delaying) the detection of a coalesce event. Detection of the coalesce event may occur at periodic or aperiodic intervals, such as when the workload of the storage node is less than a workload threshold.

Various methods and techniques for detecting coalesce events based, at least in part on the redo log records linked to the particular data page may be implemented. For example, in at least some embodiments, a coalesce threshold may be utilized to detect coalesce events. A coalesce threshold may define a number of redo log records that may be linked to a particular data page before a coalesce event is detected. For example, if a particular data page has 11 redo log records exceeding a coalesce threshold of 10 redo log records, then a coalesce event may be detected. Different coalesce thresholds may be utilized for different data pages. For instance, consider again the “hot” data page scenario that receives frequent redo log records linked to the data page. A higher coalesce threshold may be utilized for the “hot” data page, than a data page that receives redo log records less frequently, thus reducing the number of coalesce operations performed for the “hot” data page. Alternatively, in some embodiments, the same or a similar coalesce threshold may be utilized. A coalesce threshold may also be combined with various other techniques or components. For example, using other components to calculate when a coalesce threshold is likely to be exceeded and setting a timer or other component to indicate to a background monitor or other process that performs coalesce event detection that the redo log record count for the particular data page should be examined.

In at least some embodiments, the coalesce threshold for a particular data page may be determined (or for a particular set of data pages). For example, in some embodiments, the coalesce threshold may be determined according to a user-defined coalesce threshold. A user-defined coalesce threshold may be coalesce threshold requested, determined, or indicated to a storage node from a database system, such as a database engine head node 420, or client of a database system may supply a coalesce threshold to be used to detect a coalesce event. In some embodiments, a coalesce threshold may be determined based on the workload or performance of a storage node. For instance, in some embodiments, if a workload or performance measure indicates that the capacity to perform coalesce operations is low, then the coalesce threshold may be increased such that the number of coalesce events detected may be handled by the storage node at its current workload. In some embodiments, the rate or frequency that redo log records are received for a particular data page may be calculated, and used to determine a coalesce threshold. In at least some embodiments, various other characteristics may be used to determine a coalesce threshold, such as the size of redo log records, the location of redo log records in physical storage, the available space to store redo log records, and/or the time at which a coalesce operation may be performed to apply the redo log records to a previously stored version of the data page.

In response to detecting the coalesce event for the particular data page, the one or more redo log records linked to the particular data page may be applied to a previously stored version of the particular data to generate the particular data page in its current state, as indicated at 830. In at least some embodiments, applying the redo log records linked to the particular data page is performed as part of a coalesce operation. A coalesce operation or coalescing as described above may apply redo log records, such as DULRs, to an earlier version of a user page to create a later version of the user page. In some embodiments, a coalesce operation may include locating a most recent AULR (e.g., a previously stored version of a data page) and applying any subsequent DULRs in sequence without skipping any of the DULRs. For instance, if 3 DULRs are received and linked to an AULR, the first received DULR is applied to the AULR (thus applying the first received change relative to the previously stored data page). Then, the next received DULR is applied, and finally the most recent DULR is applied, applying the DULRs in a sequence determined based on receipt of the DULR at the storage node. In some embodiments, a new AULR is generated as the current state of the particular data page. The metadata discussed above, such as the redo log record count, may be updated to reflect the application of the redo log records, and with regard to the redo log record count, remove their number from the count.

In at least some embodiments, a delay may occur or be enforced between the detection of a coalesce event, indicated at 820, and applying the redo log records, indicated at 830. For example, the workload of a storage node performing said detecting and said applying, may determine a delay between the performance of applying redo log records and the detection of the coalesce event. Similarly, the application of redo log records in response to detecting a coalesce event may be performed as part of a background process, that is reduced or performed only when not performing foreground processes, such as handling various access requests (e.g., read requests or write requests). Delayed coalesce operations or application of redo logs for data pages may be entered into a data structure such as a first in first out (FIFO) queue or priority queue, that determines an order, sequence, or timing of when data pages should have redo log records applied. For example, if as in the scenario described above, a “hot” data page has a detected coalesce event, it may be more efficient to perform the application of redo logs to the “hot” data page instead of another data page. As result of delaying or performing application of redo log records as a background process, one or more additional redo log records may be received that are linked to the data page for which the coalesce event has been detected. In at least some embodiments, these additional redo log records may be applied when the other redo log records are applied to the previously stored version of the data page.

As illustrated in FIG. 4, multiple storage nodes, 430, 440, 450, etc. may be implemented as part of a distributed storage service. The various methods and techniques described above with regard to FIG. 8 above may be performed by these multiple storage nodes independently from one another. Each storage node may determine different or the same coalesce thresholds, as well as perform detecting coalesce events and applying one or more redo log records in response at the same or different times from one another.

Turning now to FIG. 9A, which shows a series of illustrations demonstrating a method to perform fast crash recovery for a distributed database system, according to some embodiments. Crash recovery in a typical database system is an arduous process. In these typical systems, upon recovery from a database system failure, a clean version of the database is obtained, then all of the redo log records from transactions that have not been stored on disk must be replayed to restore the database to its current state prior to the database system failure, creating a significant restore time before a database can be accessed. FIG. 9A, by contrast, provides illustrations of fast crash recovery for a distributed database system that may provide a faster and more efficient technique to perform crash recovery.

In scene 992, a database client 906, such as database client 250 described above with regard to FIG. 2, communicates over network 260, described above in FIG. 2, with a database head node 902, such as database head node 430 described above with regard to FIG. 4, that implements a database. Storage nodes 908 may be one or more storage nodes that implement log-structured data storage for the database implemented by database head node 902. Various access requests may be received, and subsequently serviced by database head node 902 upon retrieving the accessed data from storage nodes 908. Redo log records, such as those described above with regard to FIG. 8 may be generated and sent to storage nodes 908 in place of sending user data. Redo log records may be maintained at storage nodes 908. In at least some embodiments, a coalesce operation may be performed in response to the detection of a coalesce event, such as described above with regard to FIG. 8.

Scene 994 illustrates a database head node 902 failure. A database head node failure may be any type of system failure which causes the database head node to be unable to continue functioning, such as loss of power, no available memory, system glitch, etc. No communications between database client 906 and database head node 902 may be sent or received, as indicated in the illustration. Thus, no access to the database may be provided. Likewise, no communications between storage nodes 908 and database head node 902 may be sent or received, thus no requests for data stored for the database may be processed.

In scene 996, a recovery operation may be illustrated. New database head node 904, which may be a version of the head node application program restarted on the same system hardware or another instance of the head node started on different hardware may be brought online. Connections with storage nodes 908 may be established by database head node 904, as illustrated. Scene 998 depicts that upon establishment of connections with storage nodes 908, the same database as was implemented at database head node 902 may be made available for access at new database head node 904. Access requests, such as read requests or write requests may be sent from database client 906 via network 260 to new database head node 904. New database head node 904 may not need to replay redo log records to obtain a current state of data prior to the database head node failure, as these redo log records were already sent to storage nodes 908 which may provide a current version of data stored for the database to new database head node 908 for servicing an access request. Storage nodes 908 may apply redo log records to a previously stored version of particular data when a request for particular data is received. Alternatively, the current state of the particular data may be already stored at the storage nodes with any redo log records directed to the particular having already been applied, such as when a coalesce event is detected as discussed above with regard to FIG. 8.

FIG. 9B is a flow diagram illustrating a method to perform fast crash recovery for a distributed database system, according to some embodiments. In various embodiments, a database head node failure may occur. This head node failure may prevent any communications, modifications, or other form of access to a database implemented and managed by the failed database head node. For example, a database system client, such as database client 250 described in FIG. 2, may not be able send read or write requests to a failed database head node. The failure of the database head node may be detected, such as by web services platform 200 described above in FIG. 2, or some other system or component. In response to the failure of the head node, a restarted database head node or new database head node (e.g., a new database head node virtual instance hosted one the same or different hardware as the previously failed head node) may be instructed to perform a recovery operation. In some embodiments, this recovery operation may include the various elements depicted in FIG. 9B, although it is not limited to these elements.

Recovery from a database head node failure may occur, as indicated at 910. Recovery may be performed and determined to be complete in a variety of ways. For example, a database head node application may have various states when preparing to run, such as performing various tests, enabling various devices, etc. As part of this process, a ready state may be determined for the database head node which may indicate the completion of the recovery from node failure. Upon recovery from the database node failure, as indicated at 910, a connection with one or more storage nodes storing data for a database may be established, as indicated at 920.

As described above with regard to FIG. 9A and various other figures above, a database may be implemented an managed by a database head node, such as database head node 320 or 440 described in FIGS. 3 and 4. As part of implementing the database access requests, such as read requests or write requests described above may be processed at the database head node. In at least some embodiments redo log records reflecting changes to a database are sent to one or more storage nodes, such as storage nodes 450 described above in FIG. 4, that reflect changes to data stored at the storage nodes. Storage nodes that store data to be changed, such as particular data pages or other portions of data, may receive the redo log records which are linked to the portions of data, such as data pages, which are to be changed. These redo log records may then be applied (e.g., a coalesce operation) to a previously stored version of the portion of data, such as the data page, in response to requests for a current version of the data page, or at some other time, such as in response to detecting a coalesce event. As the redo log records for the database are maintained for the database implemented at the database head node, such as in the various ways discussed above, storage nodes may, in some embodiments, send a current state of data that is guaranteed to be current up to the time of the database head node failure to the database head node.

The storage nodes with which to establish connections with may be identified. For example, client-side storage service driver 425 described above in FIG. 4, may maintain information that indicates which storage nodes store data for the database and which portions of the database are stored on the storage nodes. A connection request, or some other communication message, may be sent using one of the various communication methods discussed above with regard to FIG. 4. Likewise, acknowledgements and other information about the status of the storage node and/or database head node may be exchanged.

Upon establishment of the connection with the one or more storage nodes, as indicated at 920, the database may be made available for access, as indicated at 930. In some embodiments, access may be provided for one or more access requests (e.g., read requests, write requests). An indication of the availability of the database may be generated and sent to a client. For example, a message may be sent to a database client that the database is available for access. Such a message may be sent via web services platform 200, described in FIG. 2, or some other communication platform or device. As noted above, in typical database systems, replay of redo log records must be performed prior to making the database available. However, in at least some embodiments, the database may be made available without replaying redo log records. Please note that the term “replay” when used with redo log records generally means to apply the one or more redo log records to a previously stored version of a data.

In at least some embodiments, a storage node may be able to detect or otherwise made aware of a database head node failure. In response to detecting the database head node failure, a storage node may perform a truncate operation on redo log records received at the storage node. A truncate operation may determine or identify redo log records that are part of a system transaction that did not complete before the failure of the database head node. These identified redo log records may then be removed or otherwise marked, moved, or identified so that they may not be applied to the data pages to which they have been linked. For example, if a storage page maintains 5 redo log records for a particular data page, and the most recent 3 redo log records are part of a system transaction that did not complete before a database head node failure, then the storage node may ignore the most recent 3 redo log records for the data page when generating a current state of the data page by only applying the 2 oldest redo log records. In at least some embodiments, a truncate operation may be performed on a storage node with affected redo log records prior to allow a connection to be established with a recovered database head node. A database engine head node may, in some embodiments, be configured similarly to determine or identify redo log records that are part of a system transaction that did not complete before the failure of the database head node and send a notification to storage nodes that these identified redo log records may be removed or otherwise marked, moved, or identified so that they may not be applied to the data pages to which they have been linked. For example, a client-side storage service driver, such as client-side storage service driver 325 described above with regard to FIG. 3, may perform the previously described techniques. These techniques describing a truncate operation may, in some embodiments, be performed as part of a background process.

In at least some embodiments, a system transaction may be an operation or other form of task or tasks to perform or implement a user transaction. A user transaction may include multiple system transactions to perform various tasks or operations from a received access request. For example, an insert instruction to the database may be received. As a user transaction, this insert instruction, may include multiple system transactions to perform the insert, such as interacting the database data structures, e.g., b-trees, to perform the insert. In at least some embodiments, an incomplete user transaction, is a user transaction all of the system transactions included in the user transaction may have not been completed (or made durable). Similarly, a system transaction may also be incomplete. Redo log records that reflect the changes made to data stored for a database as a part of user and system transactions may, in some embodiments, be identified with a particular user and/or system transaction.

FIG. 9C is a flow diagram illustrating a method to process access requests in a recovered database, according to some embodiments. As noted above, in at least some embodiments, access requests may be received a database head node that has made the database available for access. An access requests may be a read request, write request, or any other request to obtain or modify data stored for the database. As FIG. 9C illustrates, an access request may be received for a database, as indicated at 940. In response, a request for one or more data pages from one or more storage nodes may be made, as indicated 950 (both access requests from clients and data requests from a database head node are covered in more detail with regard to FIG. 5 above). A current state of the requested one or more data pages may be received from the storage nodes, as indicated at 960. As discussed above, this current state may be generated by replaying or applying the previously received redo log records to the previously stored version of the data page, or by returning the previously stored version of the data page that is the current state. In various embodiments, each data page or portion of data requested may have its current state determined, generated, and/or sent back in response to receiving the request for data (e.g., in a lazy fashion).

In at least some embodiments, undo log records may be maintained at the database head node. Undo log records, as discussed above, may record changes to be applied to data stored for a database to undo changes made to the data, such as in the event of an incomplete user transaction. A user transaction may include multiple changes to data stored for a database (such as multiple system transactions), generating one or more redo log records and one or more undo log records. A user transaction may be incomplete when not all of the changes of the user transaction were committed (e.g., made durable). A transaction table, such as transaction log 340 described above with regard to FIG. 3, may be implemented to indicate which user transactions and their associated portions of data stored at the storage nodes were not committed prior to the database head node failure, and thus are incomplete. As indicated at 970, a determination may be made as to whether a received data page is affected by an incomplete user transaction, such as indicated by the transaction table. If yes, as the positive exit indicates, then one or more of the undo log records may be applied to the data page to undo changes made by the incomplete transaction a generate a new current state of the data page, as indicated at 972. After undo log records have been applied, or the data page was not affected by an incomplete user transaction, then, the current state of the data page may be provided for servicing the access request, as indicated at 980.

In at least some embodiments, a background process may be performed that determines or identifies portions of data affected by an incomplete user transaction, based on the transaction table. Requests for the current state of portions of data, such as data pages, affected by the incomplete user transactions may sent and received. Undo log records may then be applied to undo changes directed to these data pages by the incomplete user transaction. In various embodiments, a database cache may be updated with these data pages after undo log records have been applied.

In at least some embodiments, a previously recorded snapshot may be used to restore the state of the database to an earlier state. For example, prior to making the database available for access, a request may be sent to the storage nodes to restore the data for the database to a state corresponding to a previously recorded snapshot. A snapshot may be recorded by identifying a time stamp or other marker or indicator for redo logs stored at storage nodes that allows previously received redo log records to be replayed up to the recorded snapshot point (e.g., the timestamp or marker), wherein said restoration includes applying one or more of the plurality of redo logs to a previous version of the data. Further discussion of implementing snapshots on storage nodes is provided above.

While the methods and techniques of FIGS. 9B-9C may be described as being performed by various components of a database system, such as database engine head node 420, the method need not be performed by any specific component in some cases. For instance, in some cases, the method of FIGS. 9B-9C may be performed by some other component or computer system, according to some embodiments. Or, in some cases, components of database system 400 may be combined or exist in a different manner than that shown in the example of FIG. 4. In various embodiments, the methods of FIGS. 9B-9C may be performed by one or more computers of a distributed database system, one of which is shown as the computer system of FIG. 10. The methods of FIGS. 9B-9C are shown as example implementations of methods for fast crash recovery of a distributed database system. In other implementations, the methods of FIGS. 9B-9C may include additional or fewer blocks than are shown.

The methods described herein may in various embodiments be implemented by any combination of hardware and software. For example, in one embodiment, the methods may be implemented by a computer system (e.g., a computer system as in FIG. 10) that includes one or more processors executing program instructions stored on a computer-readable storage medium coupled to the processors. The program instructions may be configured to implement the functionality described herein (e.g., the functionality of various servers and other components that implement the database services/systems and/or storage services/systems described herein).

FIG. 10 is a block diagram illustrating a computer system configured to implement at least a portion of the database systems described herein, according to various embodiments. For example, computer system 1000 may be configured to implement a database engine head node of a database tier, or one of a plurality of storage nodes of a separate distributed database-optimized storage system that stores databases and associated metadata on behalf of clients of the database tier, in different embodiments. Computer system 1000 may be any of various types of devices, including, but not limited to, a personal computer system, desktop computer, laptop or notebook computer, mainframe computer system, handheld computer, workstation, network computer, a consumer device, application server, storage device, telephone, mobile telephone, or in general any type of computing device.

Computer system 1000 includes one or more processors 1010 (any of which may include multiple cores, which may be single or multi-threaded) coupled to a system memory 1020 via an input/output (I/O) interface 1030. Computer system 1000 further includes a network interface 1040 coupled to I/O interface 1030. In various embodiments, computer system 1000 may be a uniprocessor system including one processor 1010, or a multiprocessor system including several processors 1010 (e.g., two, four, eight, or another suitable number). Processors 1010 may be any suitable processors capable of executing instructions. For example, in various embodiments, processors 1010 may be general-purpose or embedded processors implementing any of a variety of instruction set architectures (ISAs), such as the x86, PowerPC, SPARC, or MIPS ISAs, or any other suitable ISA. In multiprocessor systems, each of processors 1010 may commonly, but not necessarily, implement the same ISA. The computer system 1000 also includes one or more network communication devices (e.g., network interface 1040) for communicating with other systems and/or components over a communications network (e.g. Internet, LAN, etc.). For example, a client application executing on system 1000 may use network interface 1040 to communicate with a server application executing on a single server or on a cluster of servers that implement one or more of the components of the database systems described herein. In another example, an instance of a server application executing on computer system 1000 may use network interface 1040 to communicate with other instances of the server application (or another server application) that may be implemented on other computer systems (e.g., computer systems 1090).

In the illustrated embodiment, computer system 1000 also includes one or more persistent storage devices 1060 and/or one or more I/O devices 1080. In various embodiments, persistent storage devices 1060 may correspond to disk drives, tape drives, solid state memory, other mass storage devices, or any other persistent storage device. Computer system 1000 (or a distributed application or operating system operating thereon) may store instructions and/or data in persistent storage devices 1060, as desired, and may retrieve the stored instruction and/or data as needed. For example, in some embodiments, computer system 1000 may host a storage system server node, and persistent storage 1060 may include the SSDs attached to that server node.

Computer system 1000 includes one or more system memories 1020 that are configured to store instructions and data accessible by processor(s) 1010. In various embodiments, system memories 1020 may be implemented using any suitable memory technology, (e.g., one or more of cache, static random access memory (SRAM), DRAM, RDRAM, EDO RAM, DDR 10 RAM, synchronous dynamic RAM (SDRAM), Rambus RAM, EEPROM, non-volatile/Flash-type memory, or any other type of memory). System memory 1020 may contain program instructions 1025 that are executable by processor(s) 1010 to implement the methods and techniques described herein. In various embodiments, program instructions 1025 may be encoded in platform native binary, any interpreted language such as Java™ byte-code, or in any other language such as C/C++, Java™, etc., or in any combination thereof. For example, in the illustrated embodiment, program instructions 1025 include program instructions executable to implement the functionality of a database engine head node of a database tier, or one of a plurality of storage nodes of a separate distributed database-optimized storage system that stores databases and associated metadata on behalf of clients of the database tier, in different embodiments. In some embodiments, program instructions 1025 may implement multiple separate clients, server nodes, and/or other components.

In some embodiments, program instructions 1025 may include instructions executable to implement an operating system (not shown), which may be any of various operating systems, such as UNIX, LINUX, Solaris™, MacOS™, Windows™, etc. Any or all of program instructions 1025 may be provided as a computer program product, or software, that may include a non-transitory computer-readable storage medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to various embodiments. A non-transitory computer-readable storage medium may include any mechanism for storing information in a form (e.g., software, processing application) readable by a machine (e.g., a computer). Generally speaking, a non-transitory computer-accessible medium may include computer-readable storage media or memory media such as magnetic or optical media, e.g., disk or DVD/CD-ROM coupled to computer system 1000 via I/O interface 1030. A non-transitory computer-readable storage medium may also include any volatile or non-volatile media such as RAM (e.g. SDRAM, DDR SDRAM, RDRAM, SRAM, etc.), ROM, etc., that may be included in some embodiments of computer system 1000 as system memory 1020 or another type of memory. In other embodiments, program instructions may be communicated using optical, acoustical or other form of propagated signal (e.g., carrier waves, infrared signals, digital signals, etc.) conveyed via a communication medium such as a network and/or a wireless link, such as may be implemented via network interface 1040.

In some embodiments, system memory 1020 may include data store 1045, which may be configured as described herein. For example, the information described herein as being stored by the database tier (e.g., on a database engine head node), such as a transaction log, an undo log, cached page data, or other information used in performing the functions of the database tiers described herein may be stored in data store 1045 or in another portion of system memory 1020 on one or more nodes, in persistent storage 1060, and/or on one or more remote storage devices 1070, at different times and in various embodiments. Similarly, the information described herein as being stored by the storage tier (e.g., redo log records, coalesced data pages, and/or other information used in performing the functions of the distributed storage systems described herein) may be stored in data store 1045 or in another portion of system memory 1020 on one or more nodes, in persistent storage 1060, and/or on one or more remote storage devices 1070, at different times and in various embodiments. In general, system memory 1020 (e.g., data store 1045 within system memory 1020), persistent storage 1060, and/or remote storage 1070 may store data blocks, replicas of data blocks, metadata associated with data blocks and/or their state, database configuration information, and/or any other information usable in implementing the methods and techniques described herein.

In one embodiment, I/O interface 1030 may be configured to coordinate I/O traffic between processor 1010, system memory 1020 and any peripheral devices in the system, including through network interface 1040 or other peripheral interfaces. In some embodiments, I/O interface 1030 may perform any necessary protocol, timing or other data transformations to convert data signals from one component (e.g., system memory 1020) into a format suitable for use by another component (e.g., processor 1010). In some embodiments, I/O interface 1030 may include support for devices attached through various types of peripheral buses, such as a variant of the Peripheral Component Interconnect (PCI) bus standard or the Universal Serial Bus (USB) standard, for example. In some embodiments, the function of I/O interface 1030 may be split into two or more separate components, such as a north bridge and a south bridge, for example. Also, in some embodiments, some or all of the functionality of I/O interface 1030, such as an interface to system memory 1020, may be incorporated directly into processor 1010.

Network interface 1040 may be configured to allow data to be exchanged between computer system 1000 and other devices attached to a network, such as other computer systems 1090 (which may implement one or more storage system server nodes, database engine head nodes, and/or clients of the database systems described herein), for example. In addition, network interface 1040 may be configured to allow communication between computer system 1000 and various I/O devices 1050 and/or remote storage 1070. Input/output devices 1050 may, in some embodiments, include one or more display terminals, keyboards, keypads, touchpads, scanning devices, voice or optical recognition devices, or any other devices suitable for entering or retrieving data by one or more computer systems 1000. Multiple input/output devices 1050 may be present in computer system 1000 or may be distributed on various nodes of a distributed system that includes computer system 1000. In some embodiments, similar input/output devices may be separate from computer system 1000 and may interact with one or more nodes of a distributed system that includes computer system 1000 through a wired or wireless connection, such as over network interface 1040. Network interface 1040 may commonly support one or more wireless networking protocols (e.g., Wi-Fi/IEEE 802.11, or another wireless networking standard). However, in various embodiments, network interface 1040 may support communication via any suitable wired or wireless general data networks, such as other types of Ethernet networks, for example. Additionally, network interface 1040 may support communication via telecommunications/telephony networks such as analog voice networks or digital fiber communications networks, via storage area networks such as Fibre Channel SANs, or via any other suitable type of network and/or protocol. In various embodiments, computer system 1000 may include more, fewer, or different components than those illustrated in FIG. 10 (e.g., displays, video cards, audio cards, peripheral devices, other network interfaces such as an ATM interface, an Ethernet interface, a Frame Relay interface, etc.)

It is noted that any of the distributed system embodiments described herein, or any of their components, may be implemented as one or more web services. For example, a database engine head node within the database tier of a database system may present database services and/or other types of data storage services that employ the distributed storage systems described herein to clients as web services. In some embodiments, a web service may be implemented by a software and/or hardware system designed to support interoperable machine-to-machine interaction over a network. A web service may have an interface described in a machine-processable format, such as the Web Services Description Language (WSDL). Other systems may interact with the web service in a manner prescribed by the description of the web service's interface. For example, the web service may define various operations that other systems may invoke, and may define a particular application programming interface (API) to which other systems may be expected to conform when requesting the various operations.

In various embodiments, a web service may be requested or invoked through the use of a message that includes parameters and/or data associated with the web services request. Such a message may be formatted according to a particular markup language such as Extensible Markup Language (XML), and/or may be encapsulated using a protocol such as Simple Object Access Protocol (SOAP). To perform a web services request, a web services client may assemble a message including the request and convey the message to an addressable endpoint (e.g., a Uniform Resource Locator (URL)) corresponding to the web service, using an Internet-based application layer transfer protocol such as Hypertext Transfer Protocol (HTTP).

In some embodiments, web services may be implemented using Representational State Transfer (“RESTful”) techniques rather than message-based techniques. For example, a web service implemented according to a RESTful technique may be invoked through parameters included within an HTTP method such as PUT, GET, or DELETE, rather than encapsulated within a SOAP message.

The various methods as illustrated in the figures and described herein represent example embodiments of methods. The methods may be implemented manually, in software, in hardware, or in a combination thereof. The order of any method may be changed, and various elements may be added, reordered, combined, omitted, modified, etc.

Although the embodiments above have been described in considerable detail, numerous variations and modifications may be made as would become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such modifications and changes and, accordingly, the above description to be regarded in an illustrative rather than a restrictive sense. 

The invention claimed is:
 1. A database system, comprising: a database head node implemented by one or more computing devices, and configured to receive and process access requests from one or more clients over a network; a second database node implemented by one or more computing devices; and a distributed log-structured storage system comprising a plurality of storage nodes communicating with the database head node over the network, wherein each of the plurality of storage nodes comprises one or more persistent storage devices different from the one or more computing devices implementing the database head node, wherein each of the plurality of storage nodes is configured to store one or more redo log records received from the database system head node, and wherein the distributed log-structured storage system provides current versions of data of the database system for the one or more clients in response to access requests from the one or more clients, the current versions of data generated based at least in part on one or more of the stored plurality of redo log records; wherein the database head node is configured to perform an update operation to the database system, wherein to perform the update operation the database head node is configured to: receive, from a client of the one or more clients, a request to update a particular one or more data pages of the database system; and send, over the network in response to the update request, one or more redo log records to one or more storage nodes of the plurality of storage nodes implementing the distributed log-structured storage system, wherein each of the one or more redo log records corresponds to an update to a data page stored in one of the one or more storage nodes, and wherein the one or more storage nodes store the one or more redo log records received from the database head node to update the particular one or more data pages; and wherein the second database node is configured to: subsequent to the one or more storage nodes receiving the update request, recover from a failure of the database head node, wherein to recover from the database head node failure, the second database node is configured to: establish one or more respective connections over the network with the one or more storage nodes of the plurality of storage nodes implementing the distributed log-structured storage system; and responsive to establishment of the one or more respective connections, provide access to a current version of the one or more data pages stored in the database system, wherein to provide access to the current version of the one or more data pages stored in the database system, the second database node is further configured to: receive, from another client of the one or more clients, an access request for the database; and responsive to the received access request, send a request over a connection of the one or more respective connections to a storage node of the distributed log-structured storage system for the current version of the one or more data pages, wherein the storage node of the distributed log-structured storage system generates the current version of the one or more data pages by applying the stored one or more redo log records to previously stored versions of the one or more data pages; and receive the current version of the one or more data pages over the connection from the storage node without the second database node replaying the one or more redo log records.
 2. The system of claim 1, wherein: the current version of the one or more data pages is stored at the storage node responsive to a coalesce event, wherein during the coalesce event at least one of the one or more redo log records were applied to a previous version of the one or more data pages to generate the current version of the one or more data pages; and the second database system node is further configured to: receive from the storage node the requested current version of the one or more data pages without applying the at least one of the one or more redo log records to the previous version of the one or more data pages.
 3. The system of claim 1, wherein at least some of a plurality of redo log records sent to the plurality of storage nodes comprise a system transaction, wherein a storage node of the plurality of storage nodes is configured to: determine the system transaction is incomplete; and identify the at least some of the plurality of redo log records as not to be applied when generating a current state of a data page changed by the at least some of the plurality of redo log records.
 4. The system of claim 1 wherein at least some of a plurality of redo log records sent to the plurality of storage nodes comprise a system transaction, wherein the database system head node is further configured to: determine the system transaction is incomplete; identify the at least some of the plurality of redo log records as not to be applied when generating a current state of a data page changed by the at least some redo log records; and send a notification to one or more of the plurality of storage nodes that indicates the identified at least some of the plurality of redo log records are not to be applied.
 5. A method, comprising: performing, by one or more computing devices implementing a database head node, an update operation to a database system comprising: receiving, from a client of one of more clients, a request to update one or more data pages of the database system; and sending over a network, in response to the update request, one or more redo log records to one or more storage nodes of a plurality of storage nodes implementing a distributed log-structured storage system, wherein: the plurality of storage nodes are implemented on a plurality of computing devices other than the one or more computing devices implementing the database head node; each of the one or more redo log records corresponds to an update to a data page stored in one of the one or more storage nodes; and the one or more storage nodes store the one or more redo log records received from the database head node to update the one or more data pages; and the distributed log-structured storage system stores the one or more redo log records as part of the log-structured data storage; and the distributed log-structured storage system provides a current version of the data the database system for the one or more clients in response to access requests from the one or more clients, the current version of data generated based at least in part on the stored one or more redo log records; and subsequent to the updating, recovering from a failure of the database head node, comprising performing by a second database node: establishing one or more respective connections over the network with the one or more storage nodes of the plurality of storage nodes implementing the distributed log-structured storage system; and responsive to establishing the one or more respective connections, providing access to a current version of the one or more data pages stored in the database system, comprising: receiving, from another client of the one or more clients, an access request for the database; responsive to receiving the access request, sending a request over a connection of the one or more respective connections to a storage node of the distributed log-structured storage system for the current version of the one or more data pages, wherein the storage node of the distributed log-structured storage system generates the current version of the one or more data pages by applying the stored one or more redo log records to previously stored versions of the one or more data pages; and receiving the current version of the one or more data pages over the connection from the storage node without the second database node replaying the one or more redo log records.
 6. The method of claim 5, further comprising: receiving, by the second database node, the current version of the one or more data pages from one or more storage nodes for servicing the access request without applying the one or more redo log records to a previous version of the one or more data pages, wherein the current version of the one or more data pages was generated responsive to a coalesce event, wherein during the coalesce event at least one of the one or more redo log records were applied to the previous version of the one or more data pages to generate the current version of the one or more data page.
 7. The method of claim 6, wherein the database head node maintains a plurality of undo log records to undo updates sent as redo log records to the plurality of storage nodes, wherein the method further comprises: determining that one of the one or more data pages received from one of the one or more storage nodes is affected by an incomplete user transaction, wherein the incomplete user transaction previously applied one or more updates to the affected data page stored at the storage nodes; and applying one or more undo log records to the affected data page to undo the one or more updates previously applied to the affected data page by the incomplete user transaction.
 8. The method of claim 7, wherein the database head node maintains a transaction table indicating a plurality of incomplete user transactions including the incomplete user transaction, wherein the method further comprises: based, at least in part, on the transaction table, determining one or more additional data pages affected by at least one of the plurality of incomplete user transactions; requesting, by the database head node, a current state of the one or more affected additional data pages from the one or more storage nodes; in response to receiving the one or more affected additional data pages, applying an additional one or more undo log records to the one or more affected additional data pages to undo one or more updates previously applied to the one or more affected additional data pages by the one or more incomplete user transactions.
 9. The method of claim 8, wherein said determining the one or more affected additional data pages, said requesting of the one or more affected additional data pages, and said applying the additional one or more undo log records to the one or more affected additional data pages are performed as part of a background process at the database head node; and wherein said receiving the access request, said requesting the current state of the one or more affected data pages, and said receiving the current state of the one or more data pages are performed as part of a foreground process.
 10. The method of claim 5, further comprising performing by the second database node: prior to providing access to the current version data stored in of the database system, sending a restoration request to the plurality of storage nodes to restore data stored at the plurality of storage nodes to a state corresponding to a previously recorded snapshot, wherein the previously recorded snapshot is recorded by identifying a snapshot point, and wherein said restoration includes applying one or more of the plurality of redo logs to a previous version of the data.
 11. One or more non-transitory, computer-readable storage media, storing program instructions that when executed across a plurality of computing devices cause the plurality of computing devices to implement: receiving, from a client of one of more clients, a request to update one or more data pages of the database system; and sending over a network, in response to the update request, one or more redo log records to one or more storage nodes of a plurality of storage nodes implementing a distributed log-structured storage system, wherein: the plurality of storage nodes are implemented on a plurality of computing devices other than the one or more computing devices implementing the database head node; each of the one or more redo log records corresponds to an update to a data page stored in one of the one or more storage nodes; and the one or more storage nodes store the one or more redo log records received from the database head node to update the one or more data pages; and the distributed log-structured storage system stores the one or more redo log records as part of the log-structured data storage; and the distributed log-structured storage system provides a current version of the data of the database system for the one or more clients in response to access requests from the one or more clients, the current version of data generated based at least in part on the stored one or more redo log records; and subsequent to the updating, recovering from a failure of the database head node, comprising performing by a second database node: establishing one or more respective connections over the network with the one or more storage nodes of the plurality of storage nodes implementing the distributed log-structured storage system; and responsive to establishing the one or more respective connections, providing access to a current version of the one or more data pages stored in the database system, comprising: receiving, from another client of the one or more clients, an access request for the database; responsive to receiving the access request, sending a request over a connection of the one or more respective connections to a storage node of the distributed log-structured storage system for the current version of the one or more data pages, wherein the storage node of the distributed log-structured storage system generates the current version of the one or more data pages by applying the stored one or more redo log records to previously stored versions of the one or more data pages; and receiving the current version of the one or more data pages over the connection from the storage node without the second database node replaying the one or more redo log records.
 12. The one or more non-transitory, computer-readable storage media of claim 11, wherein a plurality of redo log records were previously received at the plurality of storage nodes from a database head node different from the database head node.
 13. The one or more non-transitory, computer-readable storage media of claim 11, wherein the received access request is a read request or a write request.
 14. The one or more non-transitory, computer-readable storage media of claim 11, wherein the database head node maintains a plurality of undo log records to undo updates to the database system, the updates sent as redo log records to the plurality of storage nodes, and wherein the database head node further implements: determining that one of the one or more data pages received from one of the one or more storage nodes is affected by an incomplete user transaction, wherein the incomplete user transaction previously applied one or more updates to the affected data page stored at the storage nodes; and applying one or more undo log records to the affected data page to undo the one or more updates previously applied to the data page by the incomplete user transaction.
 15. The one or more non-transitory, computer-readable storage media of claim 14, wherein the database head node maintains a transaction table indicating a plurality of incomplete user transactions including the incomplete user transaction, and wherein the database head node further implements as a background process: based, at least in part, on the transaction table, determining one or more additional data pages affected by at least one of the plurality of incomplete user transactions; requesting, by the database head node, a current state of the one or more affected additional data pages from the one or more storage nodes; in response to receiving the one or more affected additional data pages, applying an additional one or more undo log records to the one or more affected additional data pages to undo one or more updates previously applied to the one or more affected additional data pages by one or more incomplete user transactions. 